Sendmail, SSL and MS Servers

Feb 21, 2015
6
0
#1
I'm hitting a problem with Sendmail that has the symptoms of a similar problem back in V14, which was fixed in V15.1. Basically, it fails with "TCC: error during handshake[2]: 0x80090308" when SSL is selected, and "TCC: SMTP protocol error. 504 5.7.4 Unrecognized authentication type" when SSL isn't selected.

I know I'm trying to connect to a Windows environment server (Office365 as provided by BT, who by accident are my ISP). The specification for SMTP includes the usual server name and addresses, but the server wants to negotiate TLS, not SSL.

Now in Outlook and Acronis Backup, I can specify TLS and they connect through just fine. But I can't find any way of tempting TCC to have a go at TLS. So I guess the question is: can this be done, and if not is there some work-around (or, of course, am I barking up the wrong tree entirely)?

Thanks,

JB
 
#2
I think the underlying issue is that TCC only tries STARTTLS on port 25, but other ports it assumes a 465 style encrypted port. At a minimum, the MSA port (587) should be treated the same as 25, but there really should be separate switches for STARTTLS vs "encrypt before EHLO" TLS as is used on port 465.

(Also, note that calling them SSL vs TLS is incorrect, SSL is a legacy protocol which ended at SSL 3.0, TLS 1.x is the current version and is a direct successor to SSL, but this is completely independent of the 465 style "fully encrypted" vs the 25/587 STARTTLS protocol -- I'm just nitpicking here, but being pedantic makes a difference when it comes to protocol specifications)
 

rconn

Administrator
Staff member
May 14, 2008
10,504
94
#4
I'm hitting a problem with Sendmail that has the symptoms of a similar problem back in V14, which was fixed in V15.1. Basically, it fails with "TCC: error during handshake[2]: 0x80090308" when SSL is selected, and "TCC: SMTP protocol error. 504 5.7.4 Unrecognized authentication type" when SSL isn't selected.

I know I'm trying to connect to a Windows environment server (Office365 as provided by BT, who by accident are my ISP). The specification for SMTP includes the usual server name and addresses, but the server wants to negotiate TLS, not SSL.

Now in Outlook and Acronis Backup, I can specify TLS and they connect through just fine. But I can't find any way of tempting TCC to have a go at TLS. So I guess the question is: can this be done, and if not is there some work-around (or, of course, am I barking up the wrong tree entirely)?
Are you setting the correct SMTP port in the "OPTION / Internet" page?
 
#5
Rex, try setting "mail.hireahit.com" as your server, port 587, and SSL on, see if you get a successful connection or not. Obviously you won't authenticate and therefore can't send mail, that's irrelevant. Now try 25, note that on port 25, TCMD will connect in plain text, EHLO and use STARTTLS? We need to be able to control whether STARTTLS is used or TCMD assumes that encryption is enabled from the start, or if that's not possible, at least handle port 587 the same as port 25 (start with plain text, use STARTTLS to add encryption)
 
Feb 21, 2015
6
0
#6
Dear All,

Thanks for your comments. Just to answer Rex's question: yes, the port is set to 587 as specified by the ISP. I've also (for the hell of it, and with no expectations) tried a few other obvious ports, and my expectations were confirmed. No luck.

Of course, this follows from The Dave's diagnosis.

ATB

John B
 

rconn

Administrator
Staff member
May 14, 2008
10,504
94
#7
Rex, try setting "mail.hireahit.com" as your server, port 587, and SSL on, see if you get a successful connection or not. Obviously you won't authenticate and therefore can't send mail, that's irrelevant. Now try 25, note that on port 25, TCMD will connect in plain text, EHLO and use STARTTLS? We need to be able to control whether STARTTLS is used or TCMD assumes that encryption is enabled from the start, or if that's not possible, at least handle port 587 the same as port 25 (start with plain text, use STARTTLS to add encryption)
I can connect successfully to your mail server on port 587 by setting the "/SSL=2" option (start in plaintext, then start SSL negotiation).
 
Jul 29, 2016
36
1
#11
In cases where you need to bypass the alias to do "SENDMAIL /?" or the raw "SENDMAIL", just put a * before the command name (i.e. *SENDMAIL /? or *SENDMAIL).

I've also had to create an alias for SENDMAIL to add /SSL=2 because of the way Microsoft Outlook.com works.
 

rconn

Administrator
Staff member
May 14, 2008
10,504
94
#12
I can't see how to do that without crippling "SENDMAIL /?" or even just the raw "SENDMAIL" to bring up the dialog you're so fond of adding everywhere.
You can invoke the command dialog with "SENDMAIL /=".

The incomplete quick help (SENDMAIL /?) can be replaced (with two fewer keystrokes) with the full help by "SENDMAIL<F1>".