CODEWITHSUNDEEP
node.jssslsmtppostfix-mtadovecot
frederic abdou
frederic abdou

Reputation: 55

Encrypted connection from Nodemailer to Postfix fails with "SSL23_GET_SERVER_HELLO:unknown protocol"

I configured an SMTP mail server using Postfix and Dovecot.

When I try using an external client to send emails over TLS, I get the following error:

/var/log/syslog:

Oct 31 19:40:49 designtuner postfix/submission/smtpd[30394]: connect from unknown[185.81.141.117]
Oct 31 19:40:49 designtuner postfix/submission/smtpd[30395]: connect from unknown[185.81.141.117]
Oct 31 19:40:49 designtuner postfix/submission/smtpd[30394]: lost connection after CONNECT from unknown[185.81.141.117]
Oct 31 19:40:49 designtuner postfix/submission/smtpd[30394]: disconnect from unknown[185.81.141.117] commands=0/0
Oct 31 19:40:49 designtuner postfix/submission/smtpd[30395]: lost connection after CONNECT from unknown[185.81.141.117]
Oct 31 19:40:49 designtuner postfix/submission/smtpd[30395]: disconnect from unknown[185.81.141.117] commands=0/0

Node JS client:

{ Error: 1XXXXXXXXXX35275584:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:../deps/openssl/openssl/ssl/s23_clnt.c:797:
code: 'ECONNECTION', command: 'CONN' }

Node JS file:

let transporter = nodemailer.createTransport({
host: 'mail.designtuner.com',
port: 587,
secure: true, // secure:true for port 465, secure:false for port 587
auth: {
user: '[email protected]',
pass: 'XXXXXXX'
},
tls: {
rejectUnauthorized: false
}
});

Am I missing something? Is it because my reverse DNS hasn't propagated yet? I recently updated my reverse DNS, but the website is accessible from a web browser just fine, and the SSL certificate seems to be working fine.

Upvotes: 1

Views: 1778

Answers (2)

Steffen Ullrich
Steffen Ullrich

Reputation: 123375

The comment in your code already points you to the problem in that secure should be set to false for port 587

port: 587,
secure: true, // secure:true for port 465, secure:false for port 587

Same is true for the documentation which clearly says:

secure – if true the connection will use TLS when connecting to server. If false (the default) then TLS is used if server supports the STARTTLS extension. In most cases set this value to true if you are connecting to port 465. For port 587 or 25 keep it false

The reason for this is that secure expects implicit TLS, i.e. TLS from start. But, port 25 and port 587 usually use explicit TLS, i.e. plain connection and then upgrade to TLS after a successful STARTTLS command.

If you want to use explicit TLS (port 587) but also make sure that TLS is not optional use requireTLS as documented:

requireTLS – if this is true and secure is false then Nodemailer tries to use STARTTLS even if the server does not advertise support for it. If the connection can not be encrypted then message is not sent

Upvotes: 0

Jens Erat
Jens Erat

Reputation: 38682

SMTPs and STARTTLS

There are two ways of encrypted SMTP: SMTPs on port 465, which first establishes an TLS handshake and then start the SMTP session, and SMTP with STARTTLS on port 587 which first start an SMTP session and then initializes TLS after the STARTTLS SMTP command (and then starts with authentication and everything to be protected).

SMTPs (TLS first, port 465) is considered deprecated; standard conformant SMTP with STARTTLS (port 587) does not imply any drawbacks with respect to security or privacy. A properly configured SMTP server will not allow any unsecured connection on the SMTP submission port.

Enforcing encryption with Nodemailer

The secure flag of nodemailer is only to indicate TLS before SMTP, which is also indicated by the comment following the line (which also explicitly explains what setting to use).

secure: true, // secure:true for port 465, secure:false for port 587

Looking at the Nodemailer documentation, there is some further information on configuration options:

  • options.secure if true the connection will only use TLS. If false (the default), TLS may still be upgraded to if available via the STARTTLS command.

  • [...]

  • options.requireTLS if this is true and secure is false, it forces Nodemailer to use STARTTLS even if the server does not advertise support for it.

With other words, to enforce an encrypted session following standards and best practices, set requireTLS instead of secure and use SMTP submission on port 587.

Upvotes: 2

Related Questions