Difficulties to get SMTP mail working

segelfreak

Hey All,

I'm having difficulties in getting the mail send to work with an inhouse exchange mail server.
Account has been set up, but test mails seem stuck with the log throwing a certifcate error:

is unable to send (attempt 1), tls: failed to verify certificate: x509: certificate signed by unknown authority

Since this is an "office" exchange server with no direct exposed ports, thus having only a self-signed certifcate. Can we disable the strict certificate verification somehow?

gabriel

segelfreak
Nope, but you import your self-signed cert into the trusted root store of the server that runs r3. Than it is not unknown anymore.

segelfreak

Good hint, thank you for that! Sadly, it seems to be more tricky than I was hoping. I did make an openssl client test connection, in order to retrieve the certificate. It seems that there's none.

openssl s_client -starttls smtp -connect myserver.mydomain:587 -showcerts
CONNECTED(00000003)
4007A44351700000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:317:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 323 bytes and written 363 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

So it looks like tls is not configured at all, which is confusing after the log was basically just complaining
08.08.2024 15:35:46 Fehler node1 - Mail is unable to send (attempt 1), tls: failed to verify certificate: x509: certificate signed by unknown authority

However, if I disable STARTTLS in the account settings, the log will show
09.08.2024 08:40:53 Fehler node1 - Mail is unable to send (attempt 1), tls: first record does not look like a TLS handshake

I have to admit, I'm a bit puzzled now... either way seems to not work?

Martin

Depending on how the fontend transports are configured in Exchange, you could try sending via port 25 in REI3, not 587.

Martin

Scratch that. Looks like if you turn StartTLS off, then REI 3 will not initiate TLS, but will do the TLS check anyway and fail.

Also note that I had to set auth method to LOGIN instead of PLAIN for our Exchange server.

EDIT:
OK, now I understand. REI3 will never make a plain old unencrypted port 25 SMTP connection.

// use SSL if STARTTLS is disabled - otherwise STARTTLS is attempted client.SetSSL(!ma.StartTls)

So you need Exchanged fixed. In ECP > servers > certificates, you should have your valid certificate and on that certificate, SMTP service must be enabled.

gabriel

Yes you are right - currently r3 does only attempt encrypted connections. The UI is not really clear about that though :/

segelfreak

Thanks to All for your efforts and kind support. Appreciate it a lot!
I’m not the admin of that Exchange Server, so I‘ll need to check and see what can be done on that.
In any case, I would think that - as a last fallback solution - a lean postfix installation should possibly do the trick as a forwarding step in between.

Martin

Just for the record and anyone researching in the future:

You can also use the default client frontend connector on port 587, still needs working TLS of cause.