Issue Unable to use Plesk as SMTP server

[ramasaig]

Server operating system version

Ubuntu 20.04.4 LTS

Plesk version and microupdate number

Plesk Obsidian 18.0.44 Update #3

I have a VPS powered by Plesk. I have several domains on this server and I can send and receive e-mails from any of these via my local e-mail client Thunderbird (using appropriate SSL/TLS login criteria for each).
I also have a local Apache 2.4 server on my Windows computer, which I use for web site development and testing. To test form submission etc. I want to be able to send e-mails from web sites on my local computer. I have successfully configured php.ini and sendmail.ini to be able to send e-mails via my gmail account (e.g. 'smtp_server=smtp.gmail.com' etc.), but I would prefer to be able to use one of my own domains on my VPS.
If have tried configuring php.ini and sendmail.ini to do this, following the same lines as the settings for gmail and using the same login credentials as for regular e-mailing via Thunderbird. The smtp_port is 465. But it doesn't work. I get an error message in the sendmail error log: "22/07/06 11:38:56 : Error connecting with SSL.<EOL>Error connecting with SSL.<EOL>error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version".
I can't make out whether this is because Plesk thinks my local server settings are insecure, or because I need to make some further changes on my Plesk server.
Any suggestions on what to try next, please?

 

[ChristophRo]

Most likely the problem is that your Plesk/Postfix server is configured to run with TLS 1.2 (and newer), but your Windows/Apache/PHP server does support TLS 1.0/1.1 only
So you will either need to change your Plesk/Postfix server to support these older TLS versions as well, or you need up upgrade this Windows/Apache/PHP environment, to support TLS 1.2


I do recommend to change Postfix on Plesk to support TLS 1.0 and TLS 1.1 as well.
Just keep in mind that a sync of the "recommended TLS versions and ciphers by Mozilla" in the "SSL it!" extension, may reset this configuration again.

 

[ramasaig]

Thank you. My Apache installation dates from 2020, but it shouldn't be too difficult to download a newer version if I can be sure it will support TLS 1.2+. Wouldn't that be easier than modifying Plesk only to have it reset whenever there's an update?

 

[ChristophRo]

If I am not mistaken, this only depends on the PHP version (i.e. the OpenSSL version PHP was compiled against) and not Windows or Apache2.
And for the standard PHP binary releases you can download from the official page (PHP For Windows: Home), everything from PHP 5.6 on should support TLS 1.2

 

[ramasaig]

My local server is running PHP 7.4.12. There doesn't seem to be anything about TLS in phpinfo unless:

OpenSSL Library Version	OpenSSL 1.1.1h 22 Sep 2020
OpenSSL Header Version	OpenSSL 1.1.1h 22 Sep 2020

indicates anything relevant?
No harm in updating PHP, so I'll do that.

 

[ChristophRo]

OpenSSL 1.1.1h indicates that your PHP supports TLS 1.2 and even 1.3 (from OpenSSL 1.0.1 on, TLS 1.2 is supported)

Most likely something else in your environments is responsible for the "downgrade" to TLS 1.0/1.1 of your SMTP connections.
That can either be a firewall or the PHP script itself, that is used to generate/send these emails.


So, it might be easier to change the Plesk/Postfix config, more so that this will confirm (or not) that it really is as TLS 1.0/1.1 problem. (or the lack thereof)

 

[ramasaig]

Thank you. That makes sense too as I think PHP 7.4.12 is supposed to support TLS 1.3 (certainly 1.2). Under 'curl' phpinfo also says:

SSL Version

OpenSSL/1.1.1h

I hope it isn't the script as this is about as basic as it comes to send a test e-mail. My AV is BitDefender (a recent change from Kaspersky). I'm not sure what (if anything) BitDefender does to monitor outgoing traffic. Might be worth investigating?
One might assume that gmail would be every bit as fussy as Plesk, but it seems it isn't. It doesn't even care whether the smtp_port is 465 or 25. So I do have a fall-back, it's just irritating that I can't use 'my own' SMTP server.
I will look into the Plesk/Postfix config. I suspect that involves using Linux, which I'm not good at!

 

[ChristophRo]

well, for a quick change/check, you can go to "Tools&Settings" --> "TLS versions and ciphers management" and apply the "Old" preset.
This will enable TLS 1.0/1.1 (including the required old ciphers) for Postfix - but of course also for nginx, apache, dovecot, proftpd (where you don't wanna enable these old TLS versions on a permanent basis)
so this should only be used temporary

 

[ramasaig]

Thank you. That was easy enough. I found the 'Applied preset' setting was 'Intermediate'. I changed to 'old' and got this error message:
22/07/08 11:37:38 : Error: authentication failed: authentication failure<EOL>
(and still no e-mail, of course). I changed to 'Modern' and got the same error message as with 'Intermediate, viz':
22/07/08 11:38:52 : Error connecting with SSL.<EOL>Error connecting with SSL.<EOL>error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version.
I think I'm ready to give up on this one, or at least put it on the back burner. I can use gmail for my testing. The problem doesn't arise with live web sites hosted on my Plesk server (well. not so far!). Nonetheless it's disappointing.
Thank you for your help.

 

[ChristophRo]

well, with the "old" setting your php script could connect at least, but then failed because either the configured username or password was wrong.

 

[ramasaig]

Thank you. I think I was so expecting failure that I didn't think through what the error message said. I tried again with a different domain and the 'old' setting and it has worked; the e-mail has been sent and subsequently downloaded to Thunderbird. I will now check that the 'Thunderbird' and 'sendmail' credentials for the first domain are still the same (TB works, sendmail doesn't, for first domain).
It still only works with the 'old' setting in Plesk. (I tried 'intermediate' without changing anything else and it failed).
Given that I'm running PHP 7.4.12 which by all accounts should be TLS 1.3 compatible, is there anything more I could do at my end?
The alternative (better than selecting 'old') would seem to be to edit the Plesk settings (I'll have a go with Linux), but risk having to redo that edit whenever Plesk is updated.
I've been looking at the 'Similar threads' below this thread, but so far none of them cover the same problem (or don't have a solution).

 

[ChristophRo]

We use TLS 1.0/1.1 for Postfix on all our servers and so far it did never got reset (except if we manually click "Sync now" with the Intermediate profile in the SSL it! extension)
So it may be quite save, but I can not guarantee that....here we would need a word from the Plesk devs.

I would love to see them NOT apply these SSL settings to Postfix/Qmail anyway, as for SMTP in particular, a TLS 1.2/1.3 only config is way LESS "secure" than one that includes the old TLS versions and ciphers.

 

[ramasaig]

Thank you. So in short are you recommending that I just set 'old' in Plesk (TLS versions and ciphers by Mozilla) and get on with life?

 

[ChristophRo]

No, "old" is not recommended to use for anything else than SMTP
And as this setting can not be configured per service in the "SSL it" extension, you should use "intermediate" and change the Postfix configuration manually. (the parameters tls_medium_cipherlist, smtpd_tls_protocols and smtpd_tls_mandatory_protocols in the /etc/postfix/main.cf file)

 

[ramasaig]

Thank you. I have found the 'main.cf' file. What new values do I need for these parameters? Here are the current ones (and some others), all from the bottom of the file:
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
smtpd_tls_ciphers = medium
recipient_canonical_maps = tcp:127.0.0.1:12346
recipient_canonical_classes = envelope_recipient,header_recipient
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384HE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHAES-CBC3-SHA

An additional benefit of setting 'old' is that I can log in to Plesk 'root' from my editor (UltraEdit). I could do that from my previous server (with cPanel) but had failed to do so with Plesk. I can now edit all these files very much more easily. I'd like to be able to keep this facility.

 

[Sameer Sam]

My setting working fine. I have done my one with cloudflare. But automatic emails are not saved in sent folder. Not sure whats wrong. Even using 465 port.

 

[Peter Debik]

@Sameer Sam This does not seem to be related to the issue discussed in this thread. Please open a new thread for your issue.

 

[zwankie]

We use TLS 1.0/1.1 for Postfix on all our servers and so far it did never got reset (except if we manually click "Sync now" with the Intermediate profile in the SSL it! extension)
So it may be quite save, but I can not guarantee that....here we would need a word from the Plesk devs.

I would love to see them NOT apply these SSL settings to Postfix/Qmail anyway, as for SMTP in particular, a TLS 1.2/1.3 only config is way LESS "secure" than one that includes the old TLS versions and ciphers.

Thanks for posting this.
What steps did you follow to allow TLSv1 & 1.1 for Postfix only?

 

[ChristophRo]

I've changed the following three params in /etc/postfix/main.cf
The first two allow all TLS version supported by your postfix/openssl (except SSLv2 and SSLv3) and the third adjusts the available cipher suites. (without them, TLS 1.0 and TLS 1.1 do not work properly)

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

smtpd_tls_protocols = !SSLv2, !SSLv3

tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA