Getting postfix to relay SMTP/SSL/TLS to Charter/Spectrum

Nstevens asked:

I’m running Postfix on Debian as an MX for a small LAN and trying to get SMTPS working with over port 587. I followed a few links off google for setting this up along with a post on serverfault with a similar question. I’ve tried sending a few emails but getting this error about "initial server greeting" in the mail log:

 Nov 17 03:39:14 edgemx postfix/smtp[30355]: 9B39AA4: to=<[email protected]>,[]:587, delay=473, delays=173/0.03/300/0, dsn=4.4.2, status=deferred (conversation with[] timed out while receiving the initial server greeting)

I ran a tcpdump on port 587 while sending and I don’t see the certificate transfer happening between Postfix and Charter. There’s like three SYN packets and that’s it. If I use openssl in client mode to connect, the tcpdump traffic is much different and I can see a cert transfer happen.

openssl s_client -connect

Anyone know what’s up? What is openssl doing that Postfix isnt?
relevant SASL/SSL edits in are below.

smtp_sasl_auth_enable         = yes
smtp_sasl_password_maps       = hash:/etc/postfix/relayhost_passwd
smtp_sasl_security_options    = noanonymous
smtp_use_tls                  = yes
smtp_tls_security_level       = encrypt
relayhost                     = []:587
smtp_tls_mandatory_ciphers    = high

relayhost_passwd file (postmap’d already)

[]:587      [email protected]:sUp3rS3kr1t

My answer:

The remote mail server you are trying to reach is misconfigured.

On port 587 a mail server should answer in plain text and expect the originator to send the STARTTLS command to begin TLS negotiation.

This mail server is not doing this. Instead it is immediately going to TLS negotiation (implicit TLS). This is the expected behavior for port 465 (on which it is behaving exactly the same, which is correct for that port).

You can work around this broken behavior by setting smtp_tls_wrappermode:

smtp_tls_wrappermode = yes

Also consider changing the port from 587 to 465 (you’ll still need to add the above setting), as when the mail server administrators fix their misconfiguration, your delivery would break again.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.