Koozali.org: home of the SME Server

Help needed understanding why my SME10 box rejects this message

Offline Michail Pappas

  • *
  • 319
  • +1/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #15 on: June 19, 2022, 06:08:25 PM »
I'm sorry but I do not understand. Which settings are used? The ones under /etc/qpsmtpd or the ones under /var/service/qpsmtpd ?

Offline Jean-Philippe Pialasse

  • *
  • 2,277
  • +8/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Help needed understanding why my SME10 box rejects this message
« Reply #16 on: June 19, 2022, 06:28:30 PM »
I'm sorry but I do not understand. Which settings are used? The ones under /etc/qpsmtpd or the ones under /var/service/qpsmtpd ?

what is unclear in
Quote
we only use the /var/service
« Last Edit: June 19, 2022, 06:31:34 PM by Jean-Philippe Pialasse »

Offline Michail Pappas

  • *
  • 319
  • +1/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #17 on: June 19, 2022, 07:46:51 PM »
what is unclear in
The "... for historical reasons" part threw me off, thanks for the clarification.

Offline Michail Pappas

  • *
  • 319
  • +1/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #18 on: June 20, 2022, 12:45:54 PM »
The admins of this server responded very fast, by contacting me and fixing the EHLO part (even though qpsmtpd has a lenient helo policy). Their box is an Exchange system, recently updated to the 2019 version.

Now incoming messages fail, due to some sort of TLS issue:
Code: [Select]
2022-06-20 13:34:08.235379500 3360 Accepted connection 1/40 from 84.205.251.179 / mail.synigoros.gr
2022-06-20 13:34:08.235629500 3360 Connection from mail.synigoros.gr [84.205.251.179]
2022-06-20 13:34:09.381734500 3360 (connect) earlytalker: pass, not spontaneous
2022-06-20 13:34:09.384584500 3360 (connect) relay: skip, no match
2022-06-20 13:34:09.631119500 3360 (connect) dnsbl: pass
2022-06-20 13:34:09.631820500 3360 220 myhost ESMTP
2022-06-20 13:34:09.645727500 3360 dispatching EHLO mail.synigoros.gr
2022-06-20 13:34:09.648011500 3360 (ehlo) helo: pass
2022-06-20 13:34:09.648012500 3360 250-mydomain Hi mail.synigoros.gr [84.205.251.179]
2022-06-20 13:34:09.648012500 3360 250-PIPELINING
2022-06-20 13:34:09.648013500 3360 250-8BITMIME
2022-06-20 13:34:09.648013500 3360 250-SIZE 30000000
2022-06-20 13:34:09.648013500 3360 250-STARTTLS
2022-06-20 13:34:09.648013500 3360 250 AUTH PLAIN LOGIN
2022-06-20 13:34:09.660061500 3360 dispatching STARTTLS
2022-06-20 13:34:09.660209500 3360 220 Go ahead with TLS
2022-06-20 13:34:09.677251500 3360 (deny) logging::logterse: ` 84.205.251.179   mail.synigoros.gr       mail.synigoros.gr                       tls     901     TLS Negotiation Failed  msg denied before queued
2022-06-20 13:34:09.677456500 3360 500 TLS Negotiation Failed

Does anyone have any experience with this M$ BS? What should I be looking for?

EDIT: Is this possibly related to this? https://bugs.koozali.org/show_bug.cgi?id=11550
« Last Edit: June 20, 2022, 12:48:14 PM by Michail Pappas »

Offline Michail Pappas

  • *
  • 319
  • +1/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #19 on: June 20, 2022, 12:56:43 PM »
It seems that upon unsuccesful try, the sending server re-sends without encryption. I've received the message, so it is alright I presume?

(Mental note: I see that my box receives Gmail with TLS from the looks of it, so perhaps there's something at work with the exchange that does not allow sending over TLS to my box? )

Offline Jean-Philippe Pialasse

  • *
  • 2,277
  • +8/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Help needed understanding why my SME10 box rejects this message
« Reply #20 on: June 20, 2022, 01:18:21 PM »
you can increase log verbosity. see wiki to find how.

However from what you show the sending smtp tries to login as user with password.
250 AUTH PLAIN LOGIN 
It is not supposed to do so. This is only for your client this option.

Offline mmccarn

  • *
  • 2,588
  • +8/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #21 on: June 20, 2022, 04:59:07 PM »
(Mental note: I see that my box receives Gmail with TLS from the looks of it, so perhaps there's something at work with the exchange that does not allow sending over TLS to my box? )

I found this KB article from Microsoft saying Exchange 2019 uses TLS1.0 & TLS1.1 until a patch is installed:
https://support.microsoft.com/en-us/topic/tls-1-2-is-not-set-as-default-after-you-install-exchange-2019-with-edge-transport-role-kb5004617-fbf80ea2-365c-4a19-bbcc-7ac7b87f58d7

Security settings for outbound email delivery from gmail can be seen here (scroll down to "Outbound server ciphers"):
https://support.google.com/a/answer/9795993?hl=en

If your SME server is configure to allow only TLS1.2, an unpatched Exchange 2019 server would not be able to connect.

Offline Jean-Philippe Pialasse

  • *
  • 2,277
  • +8/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Help needed understanding why my SME10 box rejects this message
« Reply #22 on: June 20, 2022, 06:45:05 PM »
thanks Mmccarn
this is SME 10 default considering you might accept auth. 

Michail, you will start to prove helpfull to your contact in helping him configuring his server.

Offline Michail Pappas

  • *
  • 319
  • +1/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #23 on: June 20, 2022, 08:08:10 PM »
@mmccarn thanks for the info!

Coupled with what Jean advised, I've got a level 8 dump from the same sender, but I did not have time to sanitize and upload here. What's strange though is that this time there was no double sending of the file... Not sure why that happened, or whether I've missed the second, plaintext version of the message. Up to and including Wednesday I've got some pretty difficult days coming up.

But it will be a good thing to be able to help those guys fix their server: their organization is a NGO dealing with consumer allegations of company wrongdoings...


Offline Jean-Philippe Pialasse

  • *
  • 2,277
  • +8/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Help needed understanding why my SME10 box rejects this message
« Reply #24 on: June 21, 2022, 02:27:31 AM »
perhaps they are good candidates to migrate to SME ;)

Offline Michail Pappas

  • *
  • 319
  • +1/-0
Re: Help needed understanding why my SME10 box rejects this message
« Reply #25 on: June 21, 2022, 06:35:47 AM »
perhaps they are good candidates to migrate to SME ;)
With the amount of effort MS is trying to lure govmt and NGOs to Azure/E365 and other technologies, it's like trying to save people that have gone the Borg way :(

Anyways, this is the verbose log I've got: https://pastebin.com/R2KfJ1tU
Notice that there is no attempt to send TLS'ed first; the message here is sent directly plain if I understand correctly.

This domain has three MX servers though. This last one seems to have been sent from the third one, whereas the case with the problem originated from their first server. Any chance that the first server alone is misconfigured?