Logout

Alt-N Discussion Groups > MDaemon Discussion Groups > MDaemon Support > Archive > MTA-STS failure for gmail.com: STARTTLS not supported

 [F] Alt-N Discussion Groups  / MDaemon Discussion Groups  / MDaemon Support  / Archive  /

MTA-STS failure for gmail.com: STARTTLS not supported

[Reinoehl, Parrish]
Parrish Reinoeh…
Newbie
Newbie
Posts: 22
Parrish Reinoehl - 02:25pm, Jun 29 2020

I just upgraded a customer to Mdaemon v20 this weekend. Today they are having issues with mail delivery failing. It appears to be primarily to gmail.accounts. The error is 'MTA-STS failure for gmail.com: STARTTLS not supported'.
I assume this is due to the new MTA-STS implementation in version 20. I need to resolve this ASAP. At the very least I need to know how to disable MTA-STS on the Mdaemon server side. I dug through all of the settings and found zero mention of MTA-STS anywhere.

  (older msg: 3)All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items

Parrish Reinoehl - Jun 30, 2020 8:59 am (#4 Total: 5)  

 

Photo of Author
Parrish Reinoeh…
Newbie
Newbie
Posts: 22
Thanks Aaron,
I agree, I want to get the issues resolved so STARTTLS and the new MTA-STS can be utilized.
Here is a snippet of the log file when MTA-STS was enabled and failing for delivery to gmail:

Mon 2020-06-29 08:21:20.313: 05: Attempting SMTP connection to alt1.gmail-smtp-in.l.google.com
Mon 2020-06-29 08:21:20.313: 05: Resolving A record for alt1.gmail-smtp-in.l.google.com (DNS Server: 192.168.1.15)...
Mon 2020-06-29 08:21:20.314: 05: * D=alt1.gmail-smtp-in.l.google.com TTL=(2) A=[142.250.96.26]
Mon 2020-06-29 08:21:20.314: 05: Attempting SMTP connection to 142.250.96.26:25
Mon 2020-06-29 08:21:20.315: 05: Waiting for socket connection...
Mon 2020-06-29 08:21:20.368: 05: * Connection established 192.168.1.15:64653 --> 142.250.96.26:25
Mon 2020-06-29 08:21:20.368: 05: Waiting for protocol to start...
Mon 2020-06-29 08:21:20.426: 02: <-- 220 mx.google.com ESMTP 23si31849886ybf.120 - gsmtp Mon 2020-06-29 08:21:20.442: 03: --> EHLO mail.cassopolis-mi.us
Mon 2020-06-29 08:21:20.486: 02: <-- 250-mx.google.com at your service, [75.150.218.73] Mon 2020-06-29 08:21:20.486: 02: <-- 250 SIZE 157286400 Mon 2020-06-29 08:21:20.486: 08: MTA-STS failure for gmail.com: STARTTLS not supported Mon 2020-06-29 08:21:20.486: 04: MTA-STS requires STARTTLS for gmail.com Mon 2020-06-29 08:21:20.486: 03: --> QUIT

Here is a current connection where MTA-STS is disabled (and STARTTLS is still enabled in Mdaemon). You can see that STARTTLS never comes in to play:

Tue 2020-06-30 00:04:32.813: 05: Attempting SMTP connection to gmail-smtp-in.l.google.com
Tue 2020-06-30 00:04:32.813: 05: Resolving A record for gmail-smtp-in.l.google.com (DNS Server: 192.168.1.15)...
Tue 2020-06-30 00:04:32.819: 05: * D=gmail-smtp-in.l.google.com TTL=(4) A=[172.217.214.27]
Tue 2020-06-30 00:04:32.820: 05: Attempting SMTP connection to 172.217.214.27:25
Tue 2020-06-30 00:04:32.820: 05: Waiting for socket connection...
Tue 2020-06-30 00:04:32.850: 05: * Connection established 192.168.1.15:63103 --> 172.217.214.27:25
Tue 2020-06-30 00:04:32.850: 05: Waiting for protocol to start...
Tue 2020-06-30 00:04:32.930: 02: <-- 220 mx.google.com ESMTP q14si2388851iow.3 - gsmtp Tue 2020-06-30 00:04:32.944: 03: --> EHLO mail.cassopolis-mi.us
Tue 2020-06-30 00:04:32.978: 02: <-- 250-mx.google.com at your service, [75.150.218.73] Tue 2020-06-30 00:04:32.978: 02: <-- 250 SIZE 157286400 Tue 2020-06-30 00:04:32.979: 03: --> MAIL From:<prvs=1449187ef0=xxxxxxxx@cassopolis-mi.us> SIZE=7332
Tue 2020-06-30 00:04:33.004: 02: <-- 250 2.1.0 OK q14si2388851iow.3 - gsmtp Tue 2020-06-30 00:04:33.004: 03: --> RCPT To:<xxxxxx.gmail.com>
Tue 2020-06-30 00:04:33.079: 02: <-- 250 2.1.5 OK q14si2388851iow.3 - gsmtp Tue 2020-06-30 00:04:33.079: 03: --> DATA
Tue 2020-06-30 00:04:33.080: 02: <-- 354 Start mail input; end with <CRLF>.<CRLF>
Tue 2020-06-30 00:04:33.080: 01: Sending <c:\mdaemon\queues\remote\retry\pd9001000000128.msg> to [172.217.214.27]
Tue 2020-06-30 00:04:33.081: 01: Transfer Complete

Here's a snippet of a NMAP scan for SMTP against ports 25, 465, and 587. The interesting thing is that STARTTLS is being advertised on port 587 but not on 25.

PORT    STATE SERVICE
25/tcp  open  smtp
|_smtp-commands: mail.cassopolis-mi.us Hello mail.cassopolis-mi.us [24.35.xx.xx], pleased to meet you, AUTH LOGIN CRAM-MD5 PLAIN, SIZE,

465/tcp open  smtps
|_smtp-commands: mail.cassopolis-mi.us Hello mail.cassopolis-mi.us [24.35.xx.xx], pleased to meet you, ETRN, AUTH LOGIN CRAM-MD5 PLAIN, 8BITMIME, ENHANCEDSTATUSCODES, REQUIRETLS, SIZE,

587/tcp open  submission
|_smtp-commands: mail.cassopolis-mi.us Hello mail.cassopolis-mi.us [24.35.xx.xx], pleased to meet you, AUTH LOGIN CRAM-MD5 PLAIN, 8BITMIME, ENHANCEDSTATUSCODES, STARTTLS, SIZE,

Lastly, here is a screen grab of the security manager settings. This is the currently running config.

Attachments:

mdaemon.JPG (119 KB) (251 Downloads)


Parrish Reinoehl - Jul 1, 2020 7:48 pm (#5 Total: 5)  

 

Photo of Author
Parrish Reinoeh…
Newbie
Newbie
Posts: 22
Thanks to some suggestions from David C. at your support department, this has been fully resolved. Turns out the issue was due to the router/UTM appliance at this site not allowing TLS connections. The site is using Untangle and had the Spam Blocker application installed and active. Digging through the settings we found, under the Advanced SMTP Configuration, and option titled 'Allow and ignore TLS sessions'. Enabling that option was the fix. Now STARTTLS is presenting as a command and MTA-STS is also working correctly when sending emails to gmail.com.
Might be something good to put in the Mdaemon FAQ?



  All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items



 Content:

Read New | Search

 Guest:

Email to Admin



You are visiting as a Guest user.