Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: [SOLVED] Inbound TLS not working

  1. #1
    Join Date
    Nov 2009
    Posts
    25
    Rep Power
    6

    Default [SOLVED] Inbound TLS not working

    Hi All - I have ZCS 6.0 on Ubuntu. All email is filtered through a SPAM server that is hosted at ExchangeDefender. We have the proper certifcates installed (as well as ExchangeDefender) for TLS. I looked in the email headers and outbound email is TLS encrypted. However, inbound email is just basic SMTP (not even ESMTP). All proper ports are open.

    I also noticed that internally if I run the following command, TLS looks ok.

    telnet 'inside IP' 25
    220 host.domain.com ESMTP Postfix
    starttls
    220 2.0.0 Ready to start TLS

    But... If I run the same command from the outside (w/ outside IP):
    telnet 'outside IP' 25
    220 ********************************
    starttls
    502 5.5.2 Error: command not recognized


    If I run this command from the outside it looks ok.
    telnet 'outside IP' 465
    220 host.domain.com ESMTP Postfix
    starttls
    220 2.0.0 Ready to start TLS


    Any ideas?? Any help is greatly appreciated.
    Thanks.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by skot999 View Post
    Any ideas??
    You most likely have a configuration problem or a firewall problem. I'd suggest you start by looking at your Split DNS set-up (you do have one, don't you?) and confirm that it's all OK - check the forums for details of what you need to do to check it.

    I notice that you have several threads in the forums that have received answers you your questions and you haven't replied, would you mind giving them some follow-up on whether the solutions worked or not?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Nov 2009
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by phoenix View Post
    You most likely have a configuration problem or a firewall problem. I'd suggest you start by looking at your Split DNS set-up (you do have one, don't you?) and confirm that it's all OK - check the forums for details of what you need to do to check it.

    I notice that you have several threads in the forums that have received answers you your questions and you haven't replied, would you mind giving them some follow-up on whether the solutions worked or not?

    Thanks Bill - I will go through my older posts.

    I don't think it is a DNS issue because inbound mail always works... it just defaults to SMTP and not TLS. Ports 25, 465, and 587 are open to my ExchangeDefender SPAM servers. What other configuration options should I be checking?

  4. #4
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Quote Originally Posted by skot999 View Post
    Hi All - I have ZCS 6.0 on Ubuntu. All email is filtered through a SPAM server that is hosted at ExchangeDefender. We have the proper certifcates installed (as well as ExchangeDefender) for TLS. I looked in the email headers and outbound email is TLS encrypted. However, inbound email is just basic SMTP (not even ESMTP). All proper ports are open.

    I also noticed that internally if I run the following command, TLS looks ok.

    telnet 'inside IP' 25
    220 host.domain.com ESMTP Postfix
    starttls
    220 2.0.0 Ready to start TLS

    But... If I run the same command from the outside (w/ outside IP):
    telnet 'outside IP' 25
    220 ********************************
    starttls
    502 5.5.2 Error: command not recognized


    If I run this command from the outside it looks ok.
    telnet 'outside IP' 465
    220 host.domain.com ESMTP Postfix
    starttls
    220 2.0.0 Ready to start TLS


    Any ideas?? Any help is greatly appreciated.
    Thanks.
    Is there any chance your firewall is configured to do port forwarding instead of one-to-one public IP-to-private IP NAT?

    Or perhaps that there is a DNS issue making the public IP not what you intended?

    I ask because it looks to me like the telnet to the outside IP is being answered by a different mail server. The 220 greet string is different than the other two telnets and unless you run multiple instances of Postfix listening on different ports, I do not believe you can configure a single instance of Postfix to respond with a different greet string based on the listening port. Also, out of the box no Postfix MTA responds with a 220 and a string of asterisks; Exchange servers do that however...

    Hope that helps,
    Mark

  5. #5
    Join Date
    Nov 2009
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by LMStone View Post
    Is there any chance your firewall is configured to do port forwarding instead of one-to-one public IP-to-private IP NAT?

    Or perhaps that there is a DNS issue making the public IP not what you intended?

    I ask because it looks to me like the telnet to the outside IP is being answered by a different mail server. The 220 greet string is different than the other two telnets and unless you run multiple instances of Postfix listening on different ports, I do not believe you can configure a single instance of Postfix to respond with a different greet string based on the listening port. Also, out of the box no Postfix MTA responds with a 220 and a string of asterisks; Exchange servers do that however...

    Hope that helps,
    Mark
    Thanks for the reply Mark - I just checked and it is a one to one mapping config in our firewall. What's strange is that this setup is working.... sending and receiving email..no problem. Outbound is TLS encrypted.. Inbound from ExchangeDefender (SPAM server) just gets bumped down to SMTP. TLS is ready on their side. ( I checked through CLI). Is it possible that I have to add ExchangeDefenders IP address to a trusted network on my zimbra admin console? If so, where?

    Again thanks for your help. Much appreciated.
    Scott

  6. #6
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Hi Scott,

    I'm not sure what to tell you... to me it really does look like when you do "telnet <outside_ip> 25" that you are connecting to a non-Zimbra email system.

    How that may be happening I can't say just yet, but to test if my guess is true, what happens if you try to do "ssh <outside_ip>"?

    Hope that helps,
    Mark

  7. #7
    Join Date
    Nov 2009
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by LMStone View Post
    Hi Scott,

    I'm not sure what to tell you... to me it really does look like when you do "telnet <outside_ip> 25" that you are connecting to a non-Zimbra email system.

    How that may be happening I can't say just yet, but to test if my guess is true, what happens if you try to do "ssh <outside_ip>"?

    Hope that helps,
    Mark
    Thanks Mark - I just tested and I can successfully connect from the outside with ssh. Any other thoughts?

  8. #8
    Join Date
    Nov 2009
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by LMStone View Post
    Hi Scott,

    I'm not sure what to tell you... to me it really does look like when you do "telnet <outside_ip> 25" that you are connecting to a non-Zimbra email system.

    How that may be happening I can't say just yet, but to test if my guess is true, what happens if you try to do "ssh <outside_ip>"?

    Hope that helps,
    Mark
    Are you sure that nothing else has to be modified in the zimbra config to allow inbound TLS? Allow trusted networks ,etc?

  9. #9
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Quote Originally Posted by skot999 View Post
    Are you sure that nothing else has to be modified in the zimbra config to allow inbound TLS? Allow trusted networks ,etc?
    Hi Scott,

    I'm not quite there yet because I can't explain why the HELO greet string is totally different when telnetting to the outside IP.

    If you don't mind sending me the private IP, I would propose trying to do a manual smtp transaction by running the following commands from one of our zimbra servers (you could do this yourself too, you just need to do it from a mail server with proper public DNS records):

    Code:
    telnet your_outside_IP 25
    
    helo reliablenetworks.com
    
    mail from: <my_email_address@reliablenetworks.com>
    
    rcpt to: <your_email_address@your_zimbra_domain>
    
    data:
    
    Testing, 1, 2, 3
    
    
    .
    Sorry to be stubborn on this one point!

    All the best,
    Mark

  10. #10
    Join Date
    Nov 2009
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by LMStone View Post
    Hi Scott,

    I'm not quite there yet because I can't explain why the HELO greet string is totally different when telnetting to the outside IP.

    If you don't mind sending me the private IP, I would propose trying to do a manual smtp transaction by running the following commands from one of our zimbra servers (you could do this yourself too, you just need to do it from a mail server with proper public DNS records):

    Code:
    telnet your_outside_IP 25
    
    helo reliablenetworks.com
    
    mail from: <my_email_address@reliablenetworks.com>
    
    rcpt to: <your_email_address@your_zimbra_domain>
    
    data:
    
    Testing, 1, 2, 3
    
    
    .
    Sorry to be stubborn on this one point!

    All the best,
    Mark
    Hi Mark - do you mean to make an exception so you can telnet into my zimbra server from yours? (Sorry, I'm new to mail server administration).

    Is there another way I could try this?

    Everything looks fine when I do this from an outside trusted source:
    telnet 'public ip' 587

Similar Threads

  1. TLS not working?
    By 3RiversTechAdmin in forum Installation
    Replies: 9
    Last Post: 04-06-2009, 07:12 AM
  2. Replies: 2
    Last Post: 11-19-2008, 10:37 AM
  3. [SOLVED] Firefox 3 + Zimbra 5 - TLS Interop issue
    By irvingpop in forum Administrators
    Replies: 21
    Last Post: 07-22-2008, 11:53 PM
  4. Replies: 4
    Last Post: 03-17-2008, 07:53 PM
  5. Inbound mail not working after M3 upgrade
    By rhostager in forum Installation
    Replies: 2
    Last Post: 01-12-2006, 05:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •