Search code examples
node.jsopensslnodemailerpostfix-mtadovecot

Set up Nodemailer to secure email with a STARTLS handshake?

I need to send e-mail through my remote Postfix/Dovecot SASL service from Node.js on my desktop.

When I send email using Thunderbird, it works and the Postfix server logs show

Anonymous TLS connection established from unknown[dh.cp.ip.ip]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

But not through nodemailer, where the Postfix server logs: 

Nov 26 22:02:31 servicelabel postfix/submission/smtpd[27019]: connect from unknown[dh.cp.ip.ip]                                                         
Nov 26 22:02:31 servicelabel postfix/submission/smtpd[27019]: lost connection after CONNECT from unknown[dh.cp.ip.ip]                                   
Nov 26 22:02:31 servicelabel postfix/submission/smtpd[27019]: disconnect from unknown[dh.cp.ip.ip] commands=0/0

These same settings are used for Nodemailer transport and Thunderbird

  let transporter = nodemailer.createTransport(
    {
        host: "mx.example.com",
        port: 587,
        secure: false, // use TLS
        // requireTLS:true,        
        auth: {
            user: "emailuser",
            pass: "password"
        },
        tls: { rejectUnauthorized: false },
        // logger: true,
         debug: true 
    },
    {      
        from: '[email protected]',
    }
);

But Nodemailer won't connect to Dovecot with TLS the same way Thunderbird does ??

when I change secure to true to force TLS a SSL routines:ssl3_get_record:wrong version number error (below); it appears when verifying the transport. 

transporter.verify(function(error, success) {
  if (error) {
    console.log(error);
  } else {
    console.log("Server is ready to take our messages");
    return false;
  }
});

Error: 140185182082944:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:
code:"ECONNECTION"
command:"CONN"
function:"ssl3_get_record"
library:"SSL routines"
message:"140185182082944:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n"
reason:"wrong version number"
stack:"Error: 140185182082944:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n"

When I test with this command:

openssl s_client -starttls smtp -connect mx.example.com:587

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mx.example.com
verify return:1
---
Certificate chain
 0 s:CN = mx. ...
...
...

... the SSL/STARTTLS handshake succeeds and certificates

But if I use this command:

openssl s_client -connect mx.example.com:587 -crlf -ign_eof

I get the same error as with Nodemailer

CONNECTED(00000005) 140508975112640:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:

I've tried a number of option configurations and am at a loss...

How do I send secure email through my Dovecot/Postfix server via Nodemailer? Do I need to configure some certs in Nodemailer? Should I use something different to send secure email from node.js? Any help appreciated.

Solution

  • My unit testing context in Mocha does not have the ciphersuites of Node.js available.

    The Nodemailer has no problem initiating TLS handshake from STARTLS when running in a Node.js context.