subject:"\[courier\-users\] Amazon SES \"\/SECURITY=REQUIRED set, but TLS is not available\""

Re: [courier-users] Amazon SES "/SECURITY=REQUIRED set, but TLS is not available"

2017-03-15 Thread Sam Varshavchik


SZÉPE Viktor writes:



Thank you for your answer.

$ grep ^TLS_VERIFYPEER /etc/courier/*
/etc/courier/courierd:TLS_VERIFYPEER=NONE
/etc/courier/esmtpd:TLS_VERIFYPEER=NONE


Look in /proc and verify what TLS_VERIFYPEER is set to. This is a  
certificate verification error, and TLS_VERIFYPEER=NONE disables it.


Also verify that TLS_TRUSTCERTS is pointing to your trusted certificate  
authority list. With the CA certs on Fedora in /etc/pki/tls/cert.pem:


$ addcr | TLS_VERIFYPEER=PEER TLS_TRUSTCERTS=/etc/pki/tls/cert.pem ./couriertls 
-host=email-smtp.us-west-2.amazonaws.com -port=587 -protocol=smtp
220 email-smtp.amazonaws.com ESMTP SimpleEmailService-1868680227  
mCOkgyUFhRGTqHk4KAqP

EHLO octopus.email-scan.com
250-email-smtp.amazonaws.com
250-8BITMIME
250-SIZE 10485760
250-STARTTLS
250-AUTH PLAIN LOGIN
250 Ok
STARTTLS
220 Ready to start TLS
EHLO www.courier-mta.com
250-email-smtp.amazonaws.com
250-8BITMIME
250-SIZE 10485760
250-STARTTLS
250-AUTH PLAIN LOGIN
250 Ok





pgpmPVsCOdNab.pgp
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Amazon SES "/SECURITY=REQUIRED set, but TLS is not available"

2017-03-15 Thread SZÉPE Viktor

Idézem/Quoting Sam Varshavchik :

> SZÉPE Viktor writes:
>
>> 6) telnet email-smtp.us-west-2.amazonaws.com 587
>> 220 email-smtp.amazonaws.com ESMTP SimpleEmailService-1868680227
>> MmKC14V2dPS1oRPRtSjF
>>
>> Courier says: /SECURITY=REQUIRED set, but TLS is not available
>> Could it be that Courier compares the SMTP banner
>> (email-smtp.amazonaws.com) to the certificate CN, not the specified
>> host name (email-smtp.us-west-2.amazonaws.com) ?
>
> Looks like that server uses a self-signed certificate, and if it's  
> not added to your trusted certificate store, TLS negotiation will  
> fail.
>
> You would think that Amazon has the resources to pay itself a few  
> bucks each year, for a properly signed certificate.
>
> You'll have to reset TLS_VERIFYPEER to NONE, in the esmtpd-ssl config file.

Thank you for your answer.

$ grep ^TLS_VERIFYPEER /etc/courier/*
/etc/courier/courierd:TLS_VERIFYPEER=NONE
/etc/courier/esmtpd:TLS_VERIFYPEER=NONE

esmtpd-ssl is not installed (on Debian it is the courier-mta-ssl package)

Amazon has a properly signed certificate.

Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network,  
CN=Symantec Class 3 Secure Server CA - G4

You may get it by
openssl s_client -connect email-smtp.us-west-2.amazonaws.com:587  
-starttls smtp -crlf

Please try adding this to esmtproutes
#: email-smtp.us-west-2.amazonaws.com,587 /SECURITY=REQUIRED

and this to esmtpauthclient
email-smtp.us-west-2.amazonaws.com,587 SOMEID SOMEKEY

and try to send a simple email with courier.

I do hope Amazon SES is supported.

Thank you!



SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
-- 
+36-20-4242498  s...@szepe.net  skype: szepe.viktor
Budapest, III. kerület





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Amazon SES "/SECURITY=REQUIRED set, but TLS is not available"

2017-03-15 Thread Sam Varshavchik


SZÉPE Viktor writes:


6) telnet email-smtp.us-west-2.amazonaws.com 587
220 email-smtp.amazonaws.com ESMTP SimpleEmailService-1868680227
MmKC14V2dPS1oRPRtSjF

Courier says: /SECURITY=REQUIRED set, but TLS is not available
Could it be that Courier compares the SMTP banner
(email-smtp.amazonaws.com) to the certificate CN, not the specified
host name (email-smtp.us-west-2.amazonaws.com) ?


Looks like that server uses a self-signed certificate, and if it's not added  
to your trusted certificate store, TLS negotiation will fail.


You would think that Amazon has the resources to pay itself a few bucks each  
year, for a properly signed certificate.


You'll have to reset TLS_VERIFYPEER to NONE, in the esmtpd-ssl config file.



pgptGSH94vCGy.pgp
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] Amazon SES "/SECURITY=REQUIRED set, but TLS is not available"

2017-03-15 Thread SZÉPE Viktor


Hello!

I hope Amazon SES is "supported" by courier.

0) courier 0.73.1-1.6 libssl 1.0.1t-1+deb8u6

1) SES requires STARTTLS, so without /SECURITY=REQUIRED
SES says: 530 Must issue a STARTTLS command first

2) TLS_VERIFYPEER=NONE in courierd

3) openssl s_client -connect email-smtp.us-west-2.amazonaws.com:587  
-starttls smtp -crlf
says:

subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com,  
Inc./CN=email-smtp.us-west-2.amazonaws.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust  
Network/CN=Symantec Class 3 Secure Server CA - G4

Verify return code: 0 (ok)

4) ECDHE-RSA-AES256-GCM-SHA384 is used during s_client, it is in  
TLS_CIPHER_LIST

5) in esmtproutes:
: email-smtp.us-west-2.amazonaws.com,587 /SECURITY=REQUIRED

6) telnet email-smtp.us-west-2.amazonaws.com 587
220 email-smtp.amazonaws.com ESMTP SimpleEmailService-1868680227  
MmKC14V2dPS1oRPRtSjF

Courier says: /SECURITY=REQUIRED set, but TLS is not available
Could it be that Courier compares the SMTP banner  
(email-smtp.amazonaws.com) to the certificate CN, not the specified  
host name (email-smtp.us-west-2.amazonaws.com) ?

Thank you!



SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
-- 
+36-20-4242498  s...@szepe.net  skype: szepe.viktor
Budapest, III. kerület





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] Amazon SES "/SECURITY=REQUIRED set, but TLS is not available"

Re: [courier-users] Amazon SES "/SECURITY=REQUIRED set, but TLS is not available"

Re: [courier-users] Amazon SES "/SECURITY=REQUIRED set, but TLS is not available"

[courier-users] Amazon SES "/SECURITY=REQUIRED set, but TLS is not available"

4 matches

Site Navigation

Mail list logo

Footer information