gmail-based mail is no longer received
Question asked by Thomas Leylan - October 20 at 1:32 PM
Answered
I needed to set up SMTP TLS on in SmarterMail to accommodate an app I am writing. I didn't enable it on other protocols. Tested things and they seemed to work. Today a gmail account I have indicated it couldn't deliver an email to my domain. It must be related to changes I've made but I don't know how to resolve it (and easily). It was related to STARTTLS and appears to be something that Google tries by default.

Does anyone know what I need to set to make GMail happy? I am BTW not a wizard when it comes to web servers and email servers but I'm the guy stuck trying to maintain it.

Thanks.

5 Replies

Reply to Thread
0
Thomas Leylan Replied
Just to be clear I did follow the instructions here https://portal.smartertools.com/kb/a2671/configure-ssl-tls-to-secure-smartermail.aspx  with the exception of I have only enabled TLS on the SMTP ports. For the moment I don't need anything else unless that other thing is needed to make gmail (and any other mail service who acts like them) happy. I'm still trying things and so far it isn't working.

The major issue is that gmail doesn't fail immediately I won't get notification for several days (it appears).

And this was in the SmarterMail log: Exception negotiating TLS session: System.NotSupportedException: The server mode SSL must use a certificate with the associated private key.

And it is a LetsEncrypt certificate for my domain not specifically for the mail server..

Just found mention of this site: https://www.checktls.com/TestReceiver cool.

TLS is an option, STARTTLS command works on this server. Cannot convert to SSL "wrong version number".

And I just found this site: https://mxtoolbox.com  and it can test SMTP TLS which fails so something is definitely not set up correctly.
0
Thomas Leylan Replied
Yipes it has gotten considerably worse. I followed the instructions here https://portal.smartertools.com/kb/a3466/securing-smartermail-with-lets-encrypt.aspx  to secure the smartermail server. Installed and purchased the Certify client (nice software BTW). It fetched up new certificates. Wrote the scripts and window's tasks as outlined. Ran them manually and .pfx file appears. Everything appears to be set correctly.

I can send emails but I don't receive them from a couple of unrelated domains. and the checktls site I mentioned earlier can't connect any longer.
0
Thomas Leylan Replied
Yipes it has gotten considerably worse. I followed the instructions here https://portal.smartertools.com/kb/a3466/securing-smartermail-with-lets-encrypt.aspx  to secure the smartermail server. Installed and purchased the Certify client (nice software BTW). It fetched up new certificates. Wrote the scripts and window's tasks as outlined. Ran them manually and .pfx file appears. Everything appears to be set correctly.

I can send emails but I don't receive them from a couple of unrelated domains. and the checktls site I mentioned earlier can't connect any longer.

Okay... I think I'll leave these messages here just in case someone like myself runs into anything like it. My incoming email is back. I had turned off port 25 which hasn't been on in a long while but I suspect because I made my second SMTP port use TLS it became a requirement.

This may mean I don't have something in the handshake set up quite right but I'm beginning to believe it is instead that other email servers don't like my certificate because it is registered to my website not my email server.

Outlook is set to use SMTP TLS as is my phone and they continue to work both send and receive.

That was nerve wracking but I can now log into my web server securely and I have a better tool for updating my cert :-)

0
Sébastien Riccio Replied
Marked As Answer
Hello,

The SMTP 25 port is mandatory for incoming e-mails. You can set it up as TLS. If i'm not wrong setting it to TLS will also accept non-tls connexions.

Also for your users to send mail via SMTP you need port 587 also with TLS but this must be configured as Submission port.


Important: Do not set these ports as SSL encrypted but TLS. SSL is for special implicit SSL ports like 465 for SMTP (but deprecated), 993 for IMAP,S 995 for POP3S

Kind regards
1
Thomas Leylan Replied
Or so it seems :-) Thanks. I believe you are correct re: the TLS option. I'll make that change as a test. It looks to me that gmail (for one) must being using port 25 (because it is defined for email) but attempts to make a TLS connection there.

The Certify client software was a welcome addition to my toolbox. Another source of pain dealing with SSL certificates has been eliminated.

Reply to Thread