Search code examples
node.jssslsmtppostfix-mtadovecot

Encrypted connection from Nodemailer to Postfix fails with "SSL23_GET_SERVER_HELLO:unknown protocol"

I configured an SMTP mail server using Postfix and Dovecot.

When I try using an external client to send emails over TLS, I get the following error:

/var/log/syslog:

Oct 31 19:40:49 designtuner postfix/submission/smtpd[30394]: connect from unknown[185.81.141.117]
Oct 31 19:40:49 designtuner postfix/submission/smtpd[30395]: connect from unknown[185.81.141.117]
Oct 31 19:40:49 designtuner postfix/submission/smtpd[30394]: lost connection after CONNECT from unknown[185.81.141.117]
Oct 31 19:40:49 designtuner postfix/submission/smtpd[30394]: disconnect from unknown[185.81.141.117] commands=0/0
Oct 31 19:40:49 designtuner postfix/submission/smtpd[30395]: lost connection after CONNECT from unknown[185.81.141.117]
Oct 31 19:40:49 designtuner postfix/submission/smtpd[30395]: disconnect from unknown[185.81.141.117] commands=0/0

Node JS client:

{ Error: 1XXXXXXXXXX35275584:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:../deps/openssl/openssl/ssl/s23_clnt.c:797:
code: 'ECONNECTION', command: 'CONN' }

Node JS file:

let transporter = nodemailer.createTransport({
host: 'mail.designtuner.com',
port: 587,
secure: true, // secure:true for port 465, secure:false for port 587
auth: {
user: '[email protected]',
pass: 'XXXXXXX'
},
tls: {
rejectUnauthorized: false
}
});

Am I missing something? Is it because my reverse DNS hasn't propagated yet? I recently updated my reverse DNS, but the website is accessible from a web browser just fine, and the SSL certificate seems to be working fine.

Solution

  • SMTPs and STARTTLS

    There are two ways of encrypted SMTP: SMTPs on port 465, which first establishes an TLS handshake and then start the SMTP session, and SMTP with STARTTLS on port 587 which first start an SMTP session and then initializes TLS after the STARTTLS SMTP command (and then starts with authentication and everything to be protected).

    SMTPs (TLS first, port 465) is considered deprecated; standard conformant SMTP with STARTTLS (port 587) does not imply any drawbacks with respect to security or privacy. A properly configured SMTP server will not allow any unsecured connection on the SMTP submission port.

    Enforcing encryption with Nodemailer

    The secure flag of nodemailer is only to indicate TLS before SMTP, which is also indicated by the comment following the line (which also explicitly explains what setting to use).

    secure: true, // secure:true for port 465, secure:false for port 587

    Looking at the Nodemailer documentation, there is some further information on configuration options:

    • options.secure if true the connection will only use TLS. If false (the default), TLS may still be upgraded to if available via the STARTTLS command.

    • [...]

    • options.requireTLS if this is true and secure is false, it forces Nodemailer to use STARTTLS even if the server does not advertise support for it.

    With other words, to enforce an encrypted session following standards and best practices, set requireTLS instead of secure and use SMTP submission on port 587.