Here is the setup:
[Proxy/Relay Server] <---------[(SMTP TLS test client) Test server]
^
|
(Internet) v
--------------+-----------------
|
[Router]
|
|
[ Home email appliance machine
|
(Home email server app (Node.js))
|
(Postfix) ]
So this little server is behind a NAT at a home. An external server is used as a proxy/relay for IMAP and SMTP.
We use openssl s_client to test a TL connection to the proxy/relay server which transmits data back and forth to the client behind the NAT.
It works great for plaintext, but I am not sure it is working consistently for TLS. Occasionally I get a full output with SSL certs etc fromm the openssl s_client command, but usually it just says CONNECTED and sits there. Not sure it is working in those cases.
Basically its this code running behind the NAT (router) on a computer with Postfix (there is some security stuff but this is basically it):
proxyOutgoing = net.connect(proxyport, proxyhost)
localSMTP = net.connect(587, 'localhost')
localSMTP.pipe(proxyOutgoing).pipe(localSMTP)
What I am trying to figure out is, is there something about this basic idea that would cause the openssl s_client test or TLS in general to only appear to be 'working' occasionally? Do I need to somehow flush the pipes or something weird.. It keeps saying Connected(000003) but usually just that, no cert info.
One theory is the tlsmgr is caching the session which is why I dont see the STARTTLS stuff since its already set up.
Thanks for anyone who has a comment or idea.
The answer was basically that step 2 needs to come after step 4, otherwise the initial response from the local SMTP/IMAP server is not received and the STARTTLS protocol testing clients don't work since they are waiting for standard greetings on connect. At first it seemed the original order where the local mail server is connected to early was working, since plaintext SMTP commands went through later, but generally clients expect to receive certain messages on connect.