Debugging a TLS session on error 5.7.1

Hello,


I have a connection to an external SMTP host which is aborted due to missing TLS encryption (571 5.7.1 Session encryption is required).

TLS sessions are established to various external systems and to internal systems, only this one. So I think that the TLS configuration fits.

In the log I see the connection establishment and that STARTTLS feature is requested by the external host. The SMG ignores this and immediately sends the “MAIL FROM” and “RCPT TO” headers. The result is the error 571.

I have started an “openssl s_client -starttls smtp -connect .....” session from the same SMG host to the problematic target host and this is successful for TLS1.2 or TLS1.3.

How can I debug what the SMG SMTP service is doing or not doing? Can individual hosts be handled separately for TLS? Any ideas?

Kind regards,

Michael

Tags:

Parents
  • Verified Answer

    +1  

    If in the SMTP Interface of your SMG System, below “External Delivery”, the connection security is at least set to “auto”, the TLS Connections to outbound SHOULD get encrypted whenever possible.

    If the target-server responded in his EHLO-Response with STARTTLS as supported, SMG SHOULD have taken the more secure route and started a TLS connection when sending out.

    Test wise it might be beneficial to “force TLS" on outbound by setting the external delivery to “STARTTLS” and see what happens, however keep in mind that for regular operation this SHOULD be set back to auto otherwise mail-delivery might fail for “plain” mail servers.

Reply
  • Verified Answer

    +1  

    If in the SMTP Interface of your SMG System, below “External Delivery”, the connection security is at least set to “auto”, the TLS Connections to outbound SHOULD get encrypted whenever possible.

    If the target-server responded in his EHLO-Response with STARTTLS as supported, SMG SHOULD have taken the more secure route and started a TLS connection when sending out.

    Test wise it might be beneficial to “force TLS" on outbound by setting the external delivery to “STARTTLS” and see what happens, however keep in mind that for regular operation this SHOULD be set back to auto otherwise mail-delivery might fail for “plain” mail servers.

Children