SMTPSenderRefused - howto enable STARTTLS for local mail drop
Dear users,
how can we configure mailman3, to use STARTTLS when dropping mails to local postfix for final delivery?
Mailman seems to not support this. Even the web-interface complains:
SMTPSenderRefused at /accounts/login/(530, b'5.7.0 Must issue a STARTTLS command first', 'postorius@lists.mydomain.tld')Request Method: POST Request URL: https://mm3.mydomain.tld/mailman3/accounts/login/ Django Version: 2.2.12 Exception Type: SMTPSenderRefused Exception Value: (530, b'5.7.0 Must issue a STARTTLS command first', 'postorius@lists.mydomain.tld')Exception Location: /usr/lib/python3.8/smtplib.py in sendmail, line 880 Python Executable: /usr/bin/uwsgi-core Python Version: 3.8.10 Python Path: ['.', '',
Thank you.
Stefan
On 11/8/21 1:03 AM, Stefan Bauer wrote:
how can we configure mailman3, to use STARTTLS when dropping mails to local postfix for final delivery?
Set smtp_secure_mode: starttls in the mta section of mailman.cfg.
See
https://gitlab.com/mailman/mailman/-/blob/master/src/mailman/config/schema.c...
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
awesome! Thank you a lot!
Am Mo., 8. Nov. 2021 um 17:37 Uhr schrieb Mark Sapiro <mark@msapiro.net>:
On 11/8/21 1:03 AM, Stefan Bauer wrote:
how can we configure mailman3, to use STARTTLS when dropping mails to
local
postfix for final delivery?
Set
smtp_secure_mode: starttlsin themtasection of mailman.cfg. Seehttps://gitlab.com/mailman/mailman/-/blob/master/src/mailman/config/schema.c...
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
No matter what i try, mailman still only connects without STARTTLS:
/etc/mailman3/mailman.cfg [mta] incoming: mailman.mta.postfix.LMTP outgoing: mailman.mta.deliver.deliver
smtp_host: localhost smtp_port: 25 smtp_user: smtp_pass: smtp_verify_hostname: false smtp_verify_cert: false smtp_secure_mode: starttls
systemctl restart mailman3
Nov 9 12:14:52 al02 postfix/smtpd[4183267]: connect from localhost[::1] Nov 9 12:14:52 al02 postfix/smtpd[4183276]: connect from localhost[::1] Nov 9 12:14:52 al02 postfix/smtpd[4183276]: disconnect from localhost[::1] ehlo=1 mail=0/1 rset=0/1 quit=1 commands=2/4
Did i miss something?
Am Mo., 8. Nov. 2021 um 18:06 Uhr schrieb Stefan Bauer <cubewerk@gmail.com>:
awesome! Thank you a lot!
Am Mo., 8. Nov. 2021 um 17:37 Uhr schrieb Mark Sapiro <mark@msapiro.net>:
On 11/8/21 1:03 AM, Stefan Bauer wrote:
how can we configure mailman3, to use STARTTLS when dropping mails to
local
postfix for final delivery?
Set
smtp_secure_mode: starttlsin themtasection of mailman.cfg. Seehttps://gitlab.com/mailman/mailman/-/blob/master/src/mailman/config/schema.c...
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
Stefan Bauer writes:
No matter what i try, mailman still only connects without STARTTLS:
Earlier you wrote:
SMTPSenderRefused at /accounts/login/(530, b'5.7.0 Must issue a STARTTLS command first', 'postorius@lists.mydomain.tld') Request Method: POST Request URL: https://mm3.mydomain.tld/mailman3/accounts/login/ Django Version: 2.2.12
This looks like Django errors, not Postorius (Mailman). So this is something Django is doing, not Mailman (including Postorius). I'm not sure why Django is sending email (somebody made a password reset request seems likely, but I'm not that familiar with Django authn stuff). Anyway, if it's internal to Django, it would not consult Mailman's configs. This recent StackOverflow seems relevant:
https://stackoverflow.com/questions/60025730/530-5-7-0-must-issue-a-starttls...
HTH
Steve
Hi Steve,
thank you for your time. Thats it :) Works now. I had to set it in /etc/mailman3/mailman-web.py
After first logon, django tries to send a mail to confirm email address.
Nov 10 08:44:56 mal02 postfix/qmgr[2893767]: 9255C5E0BE2: from=<postorius@lists.mydomain.tld>, size=920, nrcpt=1 (queue active) Nov 10 08:44:56 mal02 postfix/smtpd[879486]: disconnect from localhost[::1] ehlo=2 *starttls=1* mail=1 rcpt=1 data=1 quit=1 commands=7
This now works with STARTTLS. Hoooray :)
Am Di., 9. Nov. 2021 um 16:50 Uhr schrieb Stephen J. Turnbull < stephenjturnbull@gmail.com>:
Stefan Bauer writes:
No matter what i try, mailman still only connects without STARTTLS:
Earlier you wrote:
SMTPSenderRefused at /accounts/login/(530, b'5.7.0 Must issue a STARTTLS command first', 'postorius@lists.mydomain.tld') Request Method: POST Request URL: https://mm3.mydomain.tld/mailman3/accounts/login/ Django Version: 2.2.12
This looks like Django errors, not Postorius (Mailman). So this is something Django is doing, not Mailman (including Postorius). I'm not sure why Django is sending email (somebody made a password reset request seems likely, but I'm not that familiar with Django authn stuff). Anyway, if it's internal to Django, it would not consult Mailman's configs. This recent StackOverflow seems relevant:
https://stackoverflow.com/questions/60025730/530-5-7-0-must-issue-a-starttls...
HTH
Steve
Need to bring this up again. Django now sends with STARTTLS, but mailman itself, does still only drop mails in cleartext. Dec 6 11:47:33 al01 postfix/lmtp[7598]: A6422600510: to=<remote-party@remote>, relay=127.0.0.1[127.0.0.1]:8024, delay=0.01, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (250 Ok) Dec 6 11:47:33 al01 postfix/qmgr[29156]: A6422600510: removed Dec 6 11:47:35 al01 postfix/smtpd[8092]: disconnect from localhost[::1] ehlo=1 mail=2 rcpt=2 data=2 commands=7
No starttls=1 at all :(
Does the above settings work for anyone?
etc/mailman3/mailman.cfg [mta] incoming: mailman.mta.postfix.LMTP outgoing: mailman.mta.deliver.deliver
smtp_host: localhost smtp_port: 25 smtp_user: smtp_pass: smtp_verify_hostname: false smtp_verify_cert: false smtp_secure_mode: starttls
Am Mi., 10. Nov. 2021 um 09:46 Uhr schrieb Stephen J. Turnbull < stephenjturnbull@gmail.com>:
Stefan Bauer writes:
thank you for your time. Thats it :) Works now.
Love to hear it!
Steve
On 12/6/21 2:51 AM, Stefan Bauer wrote:
Need to bring this up again. Django now sends with STARTTLS, but mailman itself, does still only drop mails in cleartext. Dec 6 11:47:33 al01 postfix/lmtp[7598]: A6422600510: to=<remote-party@remote>, relay=127.0.0.1[127.0.0.1]:8024, delay=0.01, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (250 Ok) Dec 6 11:47:33 al01 postfix/qmgr[29156]: A6422600510: removed Dec 6 11:47:35 al01 postfix/smtpd[8092]: disconnect from localhost[::1] ehlo=1 mail=2 rcpt=2 data=2 commands=7
No starttls=1 at all :(
Does the above settings work for anyone?
etc/mailman3/mailman.cfg [mta] incoming: mailman.mta.postfix.LMTP outgoing: mailman.mta.deliver.deliver
smtp_host: localhost smtp_port: 25 smtp_user: smtp_pass: smtp_verify_hostname: false smtp_verify_cert: false smtp_secure_mode: starttls
This should work. What do you see in Mailman's smtp.log if you add
[logging.smtp]
level: debug
to mailman.cfg.
However, do you really need this. It will only affect delivery from Mailman to Postfix via the loopback interface on the localhost.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Unfortunately i need this, as the postfix is listening on all interfaces and we have the policy to enforce TLS only. Nothing special in the logs:
Dec 07 08:14:14 2021 (12303) Using agent: <mailman.mta.bulk.BulkDelivery object at 0x7fbc29b1c4a8> Dec 07 08:14:14 2021 (12303) Connecting to localhost:25 Dec 07 08:14:14 2021 (12303) envsender: v-test-bounces@domain, recipients: ['recipient@own.domain'], size(msgtext): 5809 Dec 07 08:14:14 2021 (12303) <kcEE.aBI3BVc2RCi6kAxA4PJ0hg.ADrcCDrr1wE@mailsrv103.my.domain> smtp to v-test@domain for 1 recips, completed in 0.008081912994384766 seconds Dec 07 08:14:14 2021 (12303) <kcEE.aBI3BVc2RCi6kAxA4PJ0hg.ADrcCDrr1wE@mailsrv103.my.domain> post to v-test@domain from v-test@domain, 5336 bytes Dec 07 08:14:47 2021 (12297) Peer: ('127.0.0.1', 43210) Dec 07 08:14:47 2021 (12297) ('127.0.0.1', 43210) handling connection Dec 07 08:14:47 2021 (12297) b'220 ml01.my.domain GNU Mailman LMTP runner 2.0\r\n' Dec 07 08:14:47 2021 (12297) ('127.0.0.1', 43210) EOF received Dec 07 08:14:47 2021 (12297) Connection lost during _handle_client() Dec 07 08:14:47 2021 (12297) ('127.0.0.1', 43210) connection lost Dec 07 08:15:00 2021 (12297) Peer: ('127.0.0.1', 43516) Dec 07 08:15:00 2021 (12297) ('127.0.0.1', 43516) handling connection
Is my mailman version maybe too old for this setting?
I'm running GNU Mailman 3.1.1 (Between The Wheels)
Thank you.
Am Mo., 6. Dez. 2021 um 19:04 Uhr schrieb Mark Sapiro <mark@msapiro.net>:
On 12/6/21 2:51 AM, Stefan Bauer wrote:
Need to bring this up again. Django now sends with STARTTLS, but mailman itself, does still only drop mails in cleartext. Dec 6 11:47:33 al01 postfix/lmtp[7598]: A6422600510: to=<remote-party@remote>, relay=127.0.0.1[127.0.0.1]:8024, delay=0.01, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (250 Ok) Dec 6 11:47:33 al01 postfix/qmgr[29156]: A6422600510: removed Dec 6 11:47:35 al01 postfix/smtpd[8092]: disconnect from localhost[::1] ehlo=1 mail=2 rcpt=2 data=2 commands=7
No starttls=1 at all :(
Does the above settings work for anyone?
etc/mailman3/mailman.cfg [mta] incoming: mailman.mta.postfix.LMTP outgoing: mailman.mta.deliver.deliver
smtp_host: localhost smtp_port: 25 smtp_user: smtp_pass: smtp_verify_hostname: false smtp_verify_cert: false smtp_secure_mode: starttls
This should work. What do you see in Mailman's smtp.log if you add
[logging.smtp] level: debugto mailman.cfg.
However, do you really need this. It will only affect delivery from Mailman to Postfix via the loopback interface on the localhost.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
On 12/6/21 11:20 PM, Stefan Bauer wrote:
Unfortunately i need this, as the postfix is listening on all interfaces and we have the policy to enforce TLS only. Nothing special in the logs:
Dec 07 08:14:14 2021 (12303) Using agent: <mailman.mta.bulk.BulkDelivery object at 0x7fbc29b1c4a8> Dec 07 08:14:14 2021 (12303) Connecting to localhost:25
There should be a Dec 07 08:14:14 2021 (12303) Starttls entry here.
Dec 07 08:14:14 2021 (12303) envsender: v-test-bounces@domain, recipients: ['recipient@own.domain'], size(msgtext): 5809 ...
Is my mailman version maybe too old for this setting?
I'm running GNU Mailman 3.1.1 (Between The Wheels)
Yes, it's too old. STARTTLS support was added in Mailman 3.3.0
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
Mark Sapiro -
Stefan Bauer -
Stephen J. Turnbull