Question How to diagnose Mail failure on StartTLS

[GwenDragon]

Next time use the command i told you. No need for me as helper to have to read more.

Try in master.cf:
smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes
and restart postfix.

 

[trialotto]

@BNSHosting.net

It is highly recommend to reinstall Postfix completely.

I do not know whether you have tried to fiddle with the configuration or that your installation of Postfix has been messed up completely somehow.

It does not look good, when having a look at the config files that you provided - are you sure that it is everything?

Anyway, in order to keep messages and mailboxes safe and sound, follow these steps :

1 - run the command from the command line : plesk sbin autoinstaller

2 - follow the menu and select the mail hosting solution "Qmail" ....... and install it

3 - when finished, just rerun from the command line : plesk sbin autoinstaller

4 - this time, select the mail hosting solution "Postfix" ........ and install it : you should have all proper config files that are provided by default by Plesk!

I hope the above helps a bit ....


Kind regards....

PS1 Please note that if the above does not work, then there are some files left when executing step 2 ..... in this case, you should add a step between 2 and 3, being that you remove the left-over Postfix config files manually (and be careful with that, try to prevent this)

PS2 @GwenDragon ....... your solution is fine, but there probably is much more that has to be altered, so a reinstall would be preferred in this case.

 

[GwenDragon]

@trialotto Yes, i guess user have a completely broken mail server and under these cirumstances a reinstall of postfix should be the better solution,

 

[trialotto]

@trialotto Yes, i guess user have a completely broken mail server and under these cirumstances a reinstall of postfix should be the better solution,

@GwenDragon

That is quite common : a user with a problem and during investigation, a whole array of issues seems to be present ...... a never ending array of issues.

As opposed to solving each issue individually, a fresh install (of an extension or even Plesk itself) is often the best solution, even though painful

In addition, Plesk uses a very particular (or even peculiar) Postfix setup that can be changed, but with a high risk of breaking the Postfix system.

When using Qmail, the setup is slightly more easy to work with in terms of manual adjustments to configuration.

Nevertheless, I really liked your straight to the point solution!

Kind regards....

 

[GwenDragon]

I myself prefer when Plesk could have broken postfix ((never had such issues!):
Start Plesk installer
Install QMail, will remove Postfix
Close installer
Purge postfix config in /etc/postfix/
Start Plesk Installer
Install Postfix

Configuration is easy for both if users have knownledge. But i fear some think they never need to when using Plesk. But using Plesk should never be a excuse for lack of knowledge about servers and its packages.

Plesk is nice. But i can run a server without it ;-)

 

[GwenDragon]

I can tell users: learn to use shell, read server programs's manuals and understand configs. That takes more time to learn than to click in a graphical UI. But it is needed under some circumatances.

 

[trialotto]

I can tell users: learn to use shell, read server programs's manuals and understand configs. That takes more time to learn than to click in a graphical UI. But it is needed under some circumatances.

Certainly when using Plesk ....

To be honest, there is always added value in "learning" as opposed to "using" - learning something will lead to (partial or full) comprehension of what one uses.

I am not an IT guy, that might have become clear by now ......

 

[BNSHosting.net]

I can tell users: learn to use shell, read server programs's manuals and understand configs. That takes more time to learn than to click in a graphical UI. But it is needed under some circumatances.

my thoughts exactly! thanks.

 

[BNSHosting.net]

So what i have done so far is to clean up all the various SSL certificates in the server.
I then mapped the correct certificates to the server for my needs.

Here are the latest results :



I am confirming that prior to re-mapping/assigning of correct certificates, this test failed ALL. At least now, we are left with this final bit of error:"TLS is not an option on this server".

 

[GwenDragon]

@BNSHosting.net What have you done now to remove broken Postfix config and reinstall Postfix?

 

[BNSHosting.net]

we made a main.cf.bak before we made changes. So we merely restored the main.cf.bak to main.cf
then we applied the correct SSL cert. We have not yet reinstalled Postfix. We can 'play' around with this email domain so we have some leeway with 'experimentation' and learning from our mistakes.

 

[mow]

So what i have done so far is to clean up all the various SSL certificates in the server.
I then mapped the correct certificates to the server for my needs.
I am confirming that prior to re-mapping/assigning of correct certificates, this test failed ALL. At least now, we are left with this final bit of error:"TLS is not an option on this server".

It should look like this:

Your server still does not advertise a lot of things, STARTTLS among them.
Before, your server required TLS but did not advertise STARTTLS capability, so there was no possibility for the client to comply, therefore you got a fail for MAIL FROM.
Now, your server does not require TLS, which makes mail insecure but possible, as the client still isn't allowed to use STARTTLS.

As to why it worked (and should still work) for gmail, I think they connect to port 465 when possible, which implicitly uses TLS so it doesn't have to upgrade an unencrypted connection and does not need STARTTLS.

It appears your main.cf.bak was not as original as you thought, maybe you overwrote it at some point when you made further changes. I'm pretty sure the smtps section @GwenDragon mentioned is still commented out.

 

[BNSHosting.net]

Many thanks for all your replies. I will try to reinstall postfix as per your suggestions:
Start Plesk installer
Install QMail, will remove Postfix
Close installer
Purge postfix config in /etc/postfix/
Start Plesk Installer
Install Postfix

Will update what happens afterwards.

 

[BNSHosting.net]

@BNSHosting.net What have you done now to remove broken Postfix config and reinstall Postfix?

will try to uninstall and reinstall postfix as per suggestion.

 

[BNSHosting.net]

so doing an install of qmail then installing postfix results in error.
the main.cf file can not be found.

So we reinstalled STMP instead. The postfix now works. It has the default main.cf
but. we still do not have TLS as an option:

 

[BNSHosting.net]

Next time use the command i told you. No need for me as helper to have to read more.

Try in master.cf:
smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes
and restart postfix.

same result. TLS is not offered by our server.

 

[BNSHosting.net]

Hi. I set debug level to 3 and the debug peer list to checktls.com
here are snippets of the /var/log/maillog

Feb 8 15:34:45 mail postfix/smtpd[8012]: match_list_match: www12-azure.checktls.com: no match
Feb 8 15:34:45 mail postfix/smtpd[8012]: match_list_match: 40.76.159.115: no match
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-mail.megamall.ph
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-PIPELINING
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-SIZE 10240000
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-ETRN
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-STARTTLS
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-ENHANCEDSTATUSCODES
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-8BITMIME
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-DSN
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250 CHUNKING

Feb 8 15:34:45 mail postfix/smtpd[8012]: match_list_match: www12-azure.checktls.com: no match
Feb 8 15:34:45 mail postfix/smtpd[8012]: match_list_match: 40.76.159.115: no match
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-mail.megamall.ph
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-PIPELINING
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-SIZE 10240000
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-ETRN
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-STARTTLS
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-ENHANCEDSTATUSCODES
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-8BITMIME
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-DSN
Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250 CHUNKING

Feb 8 15:34:45 mail postfix/smtpd[8012]: watchdog_pat: 0x564b76db8840
Feb 8 15:34:45 mail postfix/smtpd[8012]: vstream_fflush_some: fd 25 flush 185
Feb 8 15:34:46 mail postfix/smtpd[8012]: vstream_buf_get_ready: fd 25 got 31
Feb 8 15:34:46 mail postfix/smtpd[8012]: < www12-azure.checktls.com[40.76.159.115]: MAIL FROM:<[email protected]>
Feb 8 15:34:46 mail postfix/smtpd[8012]: extract_addr: input: <[email protected]>
Feb 8 15:34:46 mail postfix/smtpd[8012]: smtpd_check_addr: addr=[email protected]
Feb 8 15:34:46 mail postfix/smtpd[8012]: connect to subsystem private/rewrite
Feb 8 15:34:46 mail postfix/smtpd[8012]: event_enable_read: fd 28
Feb 8 15:34:46 mail postfix/smtpd[8012]: event_request_timer: set 0x564b764896c5 0x564b76de8cc0 5
Feb 8 15:34:46 mail postfix/smtpd[8012]: event_request_timer: set 0x564b764896ed 0x564b76de8cc0 1000
Feb 8 15:34:46 mail postfix/smtpd[8012]: send attr request = rewrite
Feb 8 15:34:46 mail postfix/smtpd[8012]: send attr rule = local
Feb 8 15:34:46 mail postfix/smtpd[8012]: send attr address = ""
Feb 8 15:34:46 mail postfix/smtpd[8012]: vstream_fflush_some: fd 28 flush 39
Feb 8 15:34:46 mail postfix/smtpd[8012]: vstream_buf_get_ready: fd 28 got 20
(cont..)

 

[BNSHosting.net]

(cont.)
Feb 8 15:34:46 mail postfix/smtpd[8012]: private/rewrite socket: wanted attribute: flags
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute name: flags
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute value: 0
Feb 8 15:34:46 mail postfix/smtpd[8012]: private/rewrite socket: wanted attribute: address
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute name: address
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute value: ""
Feb 8 15:34:46 mail postfix/smtpd[8012]: private/rewrite socket: wanted attribute: (list terminator)
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute name: (end)
Feb 8 15:34:46 mail postfix/smtpd[8012]: rewrite_clnt: local: "" -> ""
Feb 8 15:34:46 mail postfix/smtpd[8012]: event_request_timer: reset 0x564b764896c5 0x564b76de8cc0 5
Feb 8 15:34:46 mail postfix/smtpd[8012]: send attr request = rewrite
Feb 8 15:34:46 mail postfix/smtpd[8012]: send attr rule = local
Feb 8 15:34:46 mail postfix/smtpd[8012]: send attr address = [email protected]
Feb 8 15:34:46 mail postfix/smtpd[8012]: vstream_fflush_some: fd 28 flush 54
Feb 8 15:34:46 mail postfix/smtpd[8012]: vstream_buf_get_ready: fd 28 got 35
Feb 8 15:34:46 mail postfix/smtpd[8012]: private/rewrite socket: wanted attribute: flags
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute name: flags
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute value: 0
Feb 8 15:34:46 mail postfix/smtpd[8012]: private/rewrite socket: wanted attribute: address
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute name: address
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute value: [email protected]
Feb 8 15:34:46 mail postfix/smtpd[8012]: private/rewrite socket: wanted attribute: (list terminator)
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute name: (end)
Feb 8 15:34:46 mail postfix/smtpd[8012]: rewrite_clnt: local: [email protected] -> [email protected]
Feb 8 15:34:46 mail postfix/smtpd[8012]: event_request_timer: reset 0x564b764896c5 0x564b76de8cc0 5
Feb 8 15:34:46 mail postfix/smtpd[8012]: send attr request = resolve
Feb 8 15:34:46 mail postfix/smtpd[8012]: send attr sender =
Feb 8 15:34:46 mail postfix/smtpd[8012]: send attr address = [email protected]
Feb 8 15:34:46 mail postfix/smtpd[8012]: vstream_fflush_some: fd 28 flush 51
Feb 8 15:34:46 mail postfix/smtpd[8012]: vstream_buf_get_ready: fd 28 got 84
Feb 8 15:34:46 mail postfix/smtpd[8012]: private/rewrite socket: wanted attribute: flags
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute name: flags
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute value: 0
Feb 8 15:34:46 mail postfix/smtpd[8012]: private/rewrite socket: wanted attribute: transport
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute name: transport
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute value: smtp
Feb 8 15:34:46 mail postfix/smtpd[8012]: private/rewrite socket: wanted attribute: nexthop
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute name: nexthop
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute value: checktls.com
Feb 8 15:34:46 mail postfix/smtpd[8012]: private/rewrite socket: wanted attribute: recipient
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute name: recipient
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute value: [email protected]
Feb 8 15:34:46 mail postfix/smtpd[8012]: private/rewrite socket: wanted attribute: flags
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute name: flags
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute value: 4096
Feb 8 15:34:46 mail postfix/smtpd[8012]: private/rewrite socket: wanted attribute: (list terminator)
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute name: (end)
Feb 8 15:34:46 mail postfix/smtpd[8012]: resolve_clnt: `' -> `[email protected]' -> transp=`smtp' host=`checktls.com' rcpt=`[email protected]' flags= class=default
Feb 8 15:34:46 mail postfix/smtpd[8012]: ctable_locate: install entry key ?[email protected]
Feb 8 15:34:46 mail postfix/smtpd[8012]: extract_addr: in: <[email protected]>, result: [email protected]
Feb 8 15:34:46 mail postfix/smtpd[8012]: event_request_timer: reset 0x564b764896c5 0x564b76de8cc0 5
Feb 8 15:34:46 mail postfix/smtpd[8012]: send attr request = rewrite
Feb 8 15:34:46 mail postfix/smtpd[8012]: send attr rule = local
Feb 8 15:34:46 mail postfix/smtpd[8012]: send attr address = double-bounce
Feb 8 15:34:46 mail postfix/smtpd[8012]: vstream_fflush_some: fd 28 flush 50
Feb 8 15:34:46 mail postfix/smtpd[8012]: vstream_buf_get_ready: fd 28 got 48
Feb 8 15:34:46 mail postfix/smtpd[8012]: private/rewrite socket: wanted attribute: flags
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute name: flags
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute value: 0
Feb 8 15:34:46 mail postfix/smtpd[8012]: private/rewrite socket: wanted attribute: address
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute name: address
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute value: [email protected]
Feb 8 15:34:46 mail postfix/smtpd[8012]: private/rewrite socket: wanted attribute: (list terminator)
Feb 8 15:34:46 mail postfix/smtpd[8012]: input attribute name: (end)
Feb 8 15:34:46 mail postfix/smtpd[8012]: rewrite_clnt: local: double-bounce -> [email protected]
Feb 8 15:34:46 mail postfix/smtpd[8012]: report sender to all milters
Feb 8 15:34:46 mail postfix/smtpd[8012]: milter_macro_lookup: "i"
Feb 8 15:34:46 mail postfix/smtpd[8012]: milter_macro_lookup: "{auth_type}"
Feb 8 15:34:46 mail postfix/smtpd[8012]: milter_macro_lookup: "{auth_authen}"
Feb 8 15:34:46 mail postfix/smtpd[8012]: milter_macro_lookup: "{auth_author}"
Feb 8 15:34:46 mail postfix/smtpd[8012]: milter_macro_lookup: "{mail_addr}"
Feb 8 15:34:46 mail postfix/smtpd[8012]: ctable_locate: leave existing entry key ?[email protected]
Feb 8 15:34:46 mail postfix/smtpd[8012]: milter_macro_lookup: result "[email protected]"
Feb 8 15:34:46 mail postfix/smtpd[8012]: milter_macro_lookup: "{mail_host}"
Feb 8 15:34:46 mail postfix/smtpd[8012]: ctable_locate: leave existing entry key ?[email protected]
Feb 8 15:34:46 mail postfix/smtpd[8012]: milter_macro_lookup: result "checktls.com"
Feb 8 15:34:46 mail postfix/smtpd[8012]: milter_macro_lookup: "{mail_mailer}"
Feb 8 15:34:46 mail postfix/smtpd[8012]: ctable_locate: leave existing entry key ?[email protected]
Feb 8 15:34:46 mail postfix/smtpd[8012]: milter_macro_lookup: result "smtp"
Feb 8 15:34:46 mail postfix/smtpd[8012]: milter8_mail_event: milter inet:127.0.0.1:12768: mail <[email protected]>
Feb 8 15:34:46 mail postfix/smtpd[8012]: event: SMFIC_MAIL; macros: {mail_addr}=[email protected] {mail_host}=checktls.com {mail_mailer}=smtp
Feb 8 15:34:46 mail postfix/smtpd[8012]: vstream_fflush_some: fd 27 flush 105
Feb 8 15:34:46 mail postfix/smtpd[8012]: vstream_buf_get_ready: fd 27 got 5
Feb 8 15:34:46 mail postfix/smtpd[8012]: reply: SMFIR_CONTINUE data 0 bytes
Feb 8 15:34:46 mail postfix/smtpd[8012]: smtpd_check_rewrite: trying: permit_inet_interfaces
Feb 8 15:34:46 mail postfix/smtpd[8012]: permit_inet_interfaces: www12-azure.checktls.com 40.76.159.115
Feb 8 15:34:46 mail postfix/smtpd[8012]: fsspace: .: block size 4096, blocks free 8312605
Feb 8 15:34:46 mail postfix/smtpd[8012]: smtpd_check_queue: blocks 4096 avail 8312605 min_free 0 msg_size_limit 10240000
Feb 8 15:34:46 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250 2.1.0 Ok
Feb 8 15:34:46 mail postfix/smtpd[8012]: watchdog_pat: 0x564b76db8840
Feb 8 15:34:46 mail postfix/smtpd[8012]: vstream_fflush_some: fd 25 flush 14
Feb 8 15:34:46 mail postfix/smtpd[8012]: vstream_buf_get_ready: fd 25 got 7

Feb 8 15:34:46 mail postfix/smtpd[8012]: < www12-azure.checktls.com[40.76.159.115]: QUIT
Feb 8 15:34:46 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 221 2.0.0 Bye

 

[mow]

Feb 8 15:34:45 mail postfix/smtpd[8012]: > www12-azure.checktls.com[40.76.159.115]: 250-STARTTLS

That's weird - the server claims it did send this, but checktls didn't receive it.
Trying from here hangs after EHLO.

Do you have a snakeoil machine application level firewall in front of your server?

 

[trialotto]

@BNSHosting.net

Again, please reinstall Postfix!

Your /etc/postfix/main.cf is - very likely, with almost 99.9% certainty - the issue here.

It should contain the line (line 27) with the default TLS config : smtpd_use_tls = yes
All other settings are not or less relevant!

Also note that your remark

we made a main.cf.bak before we made changes. So we merely restored the main.cf.bak to main.cf
then we applied the correct SSL cert.

is indicative of the fact that you might or might not have reinstalled Postfix with the OLD INCORRECT / BROKEN main.cf file!

That fact would explain a lot.

It is not necessary at all to fiddle with the main.cf or master.cf file as provided by default with Plesk!!!

Please try to get the entire setup running with a clean and default Postfix installation.

Otherwise, you will be having issues until the end of time, so to speak.

Kind regards.....