Topic: ssmtp port 465 closed

[zoxer]

Hello, I have a fresh install of SME Server 7.3 with all updates installed, my problem is that I can not send email to the secure ssmtp port 465 from wan, although i can receive it thru pop3s.  My outlook seems to be configured properly by following several advices from this forum, but testing the server always times out. Trying to figure the problem out I scanned the internal and external interfaces of the SME with nmap and this is what i get from external interface

Not shown: 1675 filtered ports
PORT     STATE SERVICE
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
995/tcp  open  pop3s

And from internal interface
PORT     STATE SERVICE
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
139/tcp  open  netbios-ssn
143/tcp  open  imap
389/tcp  open  ldap
443/tcp  open  https
465/tcp  open  smtps
548/tcp  open  afpovertcp
993/tcp  open  imaps
995/tcp  open  pop3s
8080/tcp open  http-proxy

It seems that the port 465 is open on internal interface but closed on external interface

the config show ssmtpd is
ssmtpd=service
    Authentication=enabled
    Instances=10
    TCPPort=465
    access=public
    status=enabled

I did not edit any of the firewall rules

Please help
Thanks in advance.

[zatnikatel]

just use the port opening contrib then you can open up that port via the server-manager

[robbracken]

I have the same problem. I can't connect to SSMTP from the external interface. I've tried using Outlook, Outlook Express & Thunderbird. The server is set to use SSMTP in the server manager panel. IMAPS works OK, though.

[raem]

zoxer & robbracken

By default, at remote locations you need to configure your email clients to send via the local connection ISP's smtp server. This is a security measure to prevent unauthorised relaying.

Since sme7.0, authenticated ssmtp has been supported, as long as you enable it in the server manager panel.
You need to configure your email clients to use port 465 & 993 and select "Outgoing server requires authentication - Use same settings as my incoming mail server" and do not select "Log on using Secure Password Authentication".
If you are in server only mode, then you need to forward port 465 from your router to your sme server.


Alternatively you can connect using webmail, which is an application running on the server, so sending messages automatically goes via the sme's smtp server in that case.

[raem]

robbracken

...The server is set to use SSMTP in the server manager panel.

...and exactly where is that setting in server manager ???

[robbracken]

robbracken

...and exactly where is that setting in server manager ???

Thanks for your reply, Ray.

e-mail -> change email reception settings -> SMTP Authentication -> Allow SSMTP (secure)
"You can provide external authenticated relay access to your SMTP server. The SSMTP setting requires users to send their username and password encrypted to your SMTP server. Allowing external authenticated relay access should only be used by experienced administrators. Relay access is always available on the internal inteface. We recommend leaving this setting Enabled unless you have a specific reason to do otherwise."

Have I misinterpreted this?

Rob Bracken

[raem]

robbracken & zoxer

My apologies, support for authenticated ssmtp came in with version 7.0, although it is disabled by default. The panel wording is also incorrect (it refers to Enabled rather than Disabled, there is a bug report for this).

I just tried this on a remote sme7.3 server and it works OK for me.

What is the configuration/arrangement of your server & network & Internet connection ie is your server in server gatweway mode, is it connected directly to the Internet via a bridged modem ?

Alternatively is it in server only mode connected via a router/gateway to the Internet.
In this case have you opened up port 465 & forwarded it to the sme server.

Did you change you email client to use ports 465 & 993 ?

Also follow the email client setup advice in this thread (use ports 465 & 993)
http://forums.contribs.org/index.php?topic=37211.0

Which says:

In your Outlook account properties, on the 'Outgoing Server' tab:
- Outgoing server requires authentication
- Use same settings as my incoming mail server
- DON'T select 'Log on using Secure Password Authentication'

On the 'Advanced' tab:
- select 'This server requires an encrypted connection (SSL)'
- change the Outgoing Server (SMTP): port from 25 to 465

If your SME is not your Internet gateway, make sure your gateway is passing traffic on port 465 to your SME server.

Check /var/log/sqpsmtpd/current on the SME - is the client ever connecting to SSMTP?

Open webmail from outside using https - is your system really unhappy with your certificate for some reason?

(These settings work for me...)

[robbracken]

Thanks, Ray.

The server is running in private server & gateway mode, behind a firewall. I've forwarded port 465 to it. I've done the same thing with port 993 for IMAPS & that works fine. I've checked that the Outlook settings are as you suggest, but still no joy.

Perhaps I should try running in "server & gateway" mode? Need to work out the implications of this.

[CharlieBrady]

just use the port opening contrib then you can open up that port via the server-manager

No, that is bad advice. Any service which is enabled in the server manager should already be fully enabled, otherwise there is a bug to be fixed.

In any case, nobody has yet diagnosed where the problem is.

zoxer, please show the output of:

netstat -tln | grep :465

[raem]

robbracken

The server is running in private server & gateway mode, behind a firewall. I've forwarded port 465 to it. I've done the same thing with port 993 for IMAPS & that works fine.

That's not really an appropriate setting.
Run "Configure this server" again, and set it for server only mode.
You have a separate firewall so you don't need the gateway function.
Private server & gateway mode disables all incoming services, as it says in the setup screen.

You only use one of the gateway modes when the server is directly connected via modem to the Internet and there is no other firewall.

[robbracken]

Hmmm...

I'm planning to load dansguardian & use the server as an HTTP proxy for content filtering. That's why I've set it up as a gateway. I guess I could configure the firewall to only allow HTTP traffic from the server & force its use as a proxy.

You asked a couple of other questions:
There's no evidence in /var/log/sqpsmtpd/current that the client connected at all.
Yes I do get messages about invalid certificates, but for the moment I'm just telling the programs to carry on.

Charlie,

# netstat -tln | grep :465
tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN

HTH

[CharlieBrady]

I'm planning to load dansguardian & use the server as an HTTP proxy for content filtering. That's why I've set it up as a gateway.

That doesn't explain you setting it up to 'server & gateway private' though.

# netstat -tln | grep :465
tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN

That means that the ssmtp daemon is listening for external traffic. If it's not getting through, it's because the 'masq' script is blocking it (which I doubt) or because your ISP or external router is blocking it.

[robbracken]

Finally got a chance to try this out.
I've set it to "Server & Gateway" (changed from "Private Server & Gateway") & now the secure SMTP port is open on the external i/f & I can use it to send email.

Rob Bracken