On Mon, Oct 22, 2018 at 08:37:25PM -0400, trondd wrote: > Unless I'm confused, it seems the description of the smarthosts smtps and > smtp+tls are revered in the smtpd.conf man page. >
You are confused ;-) > My log seemed to back this up. When using smtp+tls, which the man page said > uses STARTTLS but seems to actually use TLS which my ISP does not: > > Oct 21 21:42:58 ember smtpd[41596]: ca9dba5e7f80e6ca mta connecting > address=smtp+tls://68.87.20.6:465 host=omta-ch2.sys.comcast.net > Oct 21 21:42:58 ember smtpd[41596]: ca9dba5e7f80e6ca mta connected > Oct 21 21:43:59 ember smtpd[41596]: ca9dba5e7f80e6ca mta error > reason=Connection closed unexpectedly > You are mistaking smtps and smtp+tls: In an smtps session, the TLS negotation takes place during the connection so client and server are already in a secure channel when the SMTP session gets started. In a smtp+tls session, the TLS negotiation takes place after the session has started in plaintext through the use of the STARTTLS SMTP extension. In your example here, you are using smtp+tls on a host that expects smtps so the TLS negotation can't play out and you're kicked out. > And with smtps, which the man page said uses TLS, logs show STARTTLS: > > Oct 21 22:02:06 ember smtpd[66745]: a9193b70dbc40df0 mta connecting > address=smtps://68.87.20.6:465 host=omta-ch2.sys.comcast.net > Oct 21 22:02:06 ember smtpd[66745]: a9193b70dbc40df0 mta connected > Oct 21 22:02:06 ember smtpd[66745]: a9193b70dbc40df0 mta starttls > ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 > Oct 21 22:02:06 ember smtpd[66745]: smtp-out: Server certificate verification > succeeded on session a9193b70dbc40df0 > TLS and STARTTLS are essentially the same as far as you're concerned. smtpd will _always_ display a 'starttls' log line when the TLS channel starts, disregarding if TLS was started at connect time (smtps) or within the protocol (smtp+tls, or even smtp since it does opportunistic tls). The only issue here is that you attempted to connect in plaintext then upgrade a session on a host that didn't speak plaintext and expected sessions to speak TLS from the start. -- Gilles Chehade https://www.poolp.org @poolpOrg
