Question How to diagnose Mail failure on StartTLS

[BNSHosting.net]

Server operating system version

CentOS 7.0

Plesk version and microupdate number

Plesk Obsidian 18.0.48

I had a domain tested for mail security and here it says that it failed.


Where do i start to troubleshoot this? The mail server has letsencrypt SSL to 'secure the webmail' enabled.
But i don't see where i can configure the STARTTLS in the Plesk GUI. Has anyone ever encountered this before?

 

[GwenDragon]

The "secure webmail" does not enable SSL with StartTLS on mail server.
Which mail server is installed? Postfix or Exim or QMail?

You need to get and set a own certificate for your mail server. Securing Plesk and the Mail Server With SSL/TLS Certificates

 

[BNSHosting.net]

yes, we got a wildcard letsencrypt certificate, we assigned it to the mailserver but the test still fails.

 

[BNSHosting.net]

In addition, now that we use the LetsEncrypt as the default SSL cert, even the webpage refuses to load.

 

[BNSHosting.net]

Here is the ssl cert for the domain:

 

[BNSHosting.net]

The "secure webmail" does not enable SSL with StartTLS on mail server.
Which mail server is installed? Postfix or Exim or QMail?

You need to get and set a own certificate for your mail server. Securing Plesk and the Mail Server With SSL/TLS Certificates

btw, it is running using postfix.

 

[Peter Debik]

In addition, now that we use the LetsEncrypt as the default SSL cert, even the webpage refuses to load.

What error do you get?

 

[GwenDragon]

1. Check as root in shell if smtps is set for postfix: grep smtps -A6 /etc/postfix/master.cf
2. Check your server's firewall if incoming for Port 25 is blocked

 

[scsa20]

I think you might have your settings set up weirdly or your servers firewall is blocking ports (like gwen suggested, check your server's firewall incoming port 25). When testing using //email/testTo: against your domain shows that the connection is timing out.

 

[BNSHosting.net]

What error do you get?

gateway error NGINX. But we were eventually able to solve this by running the Plesk Repair Kit.

 

[BNSHosting.net]

Using email/testto:

 

[BNSHosting.net]

I think you might have your settings set up weirdly or your servers firewall is blocking ports (like gwen suggested, check your server's firewall incoming port 25). When testing using //email/testTo: against your domain shows that the connection is timing out.

Thanks for the link: port 25 , 587 and 465 are open. We can send and receive email from our domain to gmail.com

 

[BNSHosting.net]

gateway error NGINX. But we were eventually able to solve this by running the Plesk Repair Kit.

Additional data:
Template_Exception: httpd: Syntax error on line 56 of /etc/httpd/conf/httpd.conf: Syntax error on line 7 of /etc/httpd/conf.modules.d/00-proxy.conf: Cannot load modules/mod_proxy_ajp.so into server: /etc/httpd/modules/mod_proxy_ajp.so: undefined symbol: ap_proxy_check_connection

file: /usr/local/psa/admin/plib/Template/Writer/Webserver/Abstract.php

line: 75
code: 0

 

[scsa20]

You sure that it's open? Because when I did a test just now it still shows that the connection is timing out telling me that it's not reachable.

Also, tbh, I don't see the point in hiding your domain name at this point since I was able to find it doing a reverse DNS search (is how I was able to do my tests).

In either case, make sure firewalls are configured to allow the connections through and also, if your hosting provider has any kind of virtual firewalls, I would suggest to make sure those are also set to allow the connections through.

 

[BNSHosting.net]

You sure that it's open? Because when I did a test just now it still shows that the connection is timing out telling me that it's not reachable.

Also, tbh, I don't see the point in hiding your domain name at this point since I was able to find it doing a reverse DNS search (is how I was able to do my tests).

In either case, make sure firewalls are configured to allow the connections through and also, if your hosting provider has any kind of virtual firewalls, I would suggest to make sure those are also set to allow the connections through.

Thanks for your help Scsa20. I used an online port checker to confirm that the ports are open.
I think it may be the /etc/postfix/main.cf configuration entries at fault. I will double check those.

 

[BNSHosting.net]

Here are snippets of my main.cf relating to TLS:

smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_key_file = $smtpd_tls_cert_file

tls_server_sni_maps = hash:/var/spool/postfix/plesk/certs
#smtpd_tls_security_level = may
smtpd_tls_security_level = encrypt
# smtpd_use_tls = no
smtpd_use_tls = yes

# smtp_tls_security_level = may
smtp_tls_security_level = encrypt
# smtp_use_tls = no
smtp_use_tls = yes

smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5,DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256,RSA+AES, eNULL
tls_medium_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
tls_preempt_cipherlist = yes

(i tried both smtp_tls_security_level = may and encrypt)

 

[scsa20]

Don't really think it's Postfix's settings as long as you leave things as default.

Here's some screen shots I've took of my settings within plesk, you would see it's pretty default. The domain is of my friends domain which works fine.

Mind you with the host provider I'm using I had to put in a ticket to have them unblock port 25, 465, and 587 so you might also want to make sure that is unblocked. I'm actually impressed that you're able to even email in using gmail if my testing shows connection is timing out lol.

If everything is showing fine, and your hosting provider confirms that they are not blocking anything that could possibly be blocking, I would suggest that you open a ticket with Plesk support directly. They have ways to access with you to look through the configurations with you to find out why that is happening.

How to get support directly from Plesk?

Question How to get support directly from Plesk? Answer Lease-type Plesk licenses purchased directly from Plesk running on supported Plesk version include full free support. Perpetual-type license...

support.plesk.com

 

[GwenDragon]

@BNSHosting.net

Check as root in shell if smtps is set for postfix: grep smtps -A6 /etc/postfix/master.cf

↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑
Read this and answer, please.

 

[BNSHosting.net]

Don't really think it's Postfix's settings as long as you leave things as default.

Here's some screen shots I've took of my settings within plesk, you would see it's pretty default. The domain is of my friends domain which works fine.

Mind you with the host provider I'm using I had to put in a ticket to have them unblock port 25, 465, and 587 so you might also want to make sure that is unblocked. I'm actually impressed that you're able to even email in using gmail if my testing shows connection is timing out lol.

If everything is showing fine, and your hosting provider confirms that they are not blocking anything that could possibly be blocking, I would suggest that you open a ticket with Plesk support directly. They have ways to access with you to look through the configurations with you to find out why that is happening.

https://support.plesk.com/hc/en-us/articles/213953025-How-to-get-support-directly-from-Plesk-[/

http://

Don't really think it's Postfix's settings as long as you leave things as default.

Here's some screen shots I've took of my settings within plesk, you would see it's pretty default. The domain is of my friends domain which works fine.

Mind you with the host provider I'm using I had to put in a ticket to have them unblock port 25, 465, and 587 so you might also want to make sure that is unblocked. I'm actually impressed that you're able to even email in using gmail if my testing shows connection is timing out lol.

If everything is showing fine, and your hosting provider confirms that they are not blocking anything that could possibly be blocking, I would suggest that you open a ticket with Plesk support directly. They have ways to access with you to look through the configurations with you to find out why that is happening.

How to get support directly from Plesk?

Question How to get support directly from Plesk? Answer Lease-type Plesk licenses purchased directly from Plesk running on supported Plesk version include full free support. Perpetual-type license...

support.plesk.com

thanks for these. Will try it out later.

 

[BNSHosting.net]

@BNSHosting.net

↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑
Read this and answer, please.

here is the content of the /etc/postfix/master.cf
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: Postfix manual - master(5)).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes)
(yes)
(no)
(never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
cleanup unix n - n - 0 cleanup
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce