1 Topic by Kawaii (edited by Kawaii 2017-05-25 04:48:45)

  • Kawaii
  • Kawaii
  • Member
  • Offline
  • From: Cyberia
  • Registered: 2016-02-15
  • Posts: 24

Topic: TLS Disconnect From Application Server

==== Required information ====
- iRedMail version: iRedMail-0.9.6
- Linux/BSD distribution name and version: Ubuntu 16.04
- Store mail accounts in which backend: PostgreSQL
- Web server: Nginx
- Manage mail accounts with iRedAdmin-Pro: YES
====

Hello. smile

I have a server hosted with Google Cloud running a PHP application. Because Google Cloud do not allow outbound connections on port 25 and 587 I host the MX server with OVH and have it configured to listen on a second submission port, 5877 like this:

5877 inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026

This works, I verified using Thunderbird mail client and manually connecting to that port! big_smile

However, when using SMTP authentication on port 5877 from my application server to the MX server I get the following in the mail.log file:

May 24 22:23:19 mx postfix/submission/smtpd[8335]: connect from 39.102.199.104.bc.googleusercontent.com[104.XXX.XXX.XX]
May 24 22:23:19 mx postfix/submission/smtpd[8335]: Anonymous TLS connection established from 39.102.199.104.bc.googleusercontent.com[104.XXX.XXX.XX]: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
May 24 22:23:19 mx postfix/submission/smtpd[8335]: lost connection after STARTTLS from 39.102.199.104.bc.googleusercontent.com[104.XXX.XXX.XX]
May 24 22:23:19 mx postfix/submission/smtpd[8335]: disconnect from 39.102.199.104.bc.googleusercontent.com[104.XXX.XXX.XX] ehlo=1 starttls=1 commands=2

It seems that the TLS causes it to just die? hmm

I am using a Let's Encrypt certificate, and my postfix is configured like this:

smtpd_tls_key_file = /etc/letsencrypt/live/mx.domain.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mx.domain.com/fullchain.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mx.domain.com/fullchain.pem

This should be correct, and provide full trust to any client connecting. It does, because I tested it with Google Mail client, Thunderbird, RoundCube, all good. So why does my application server fail to send email? sad

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

Kawaii's Website

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: TLS Disconnect From Application Server

More like a PHP program issue to me. Did you test your PHP program with other mail server (port 587 + TLS)?

3 Reply by Kawaii

  • Kawaii
  • Kawaii
  • Member
  • Offline
  • From: Cyberia
  • Registered: 2016-02-15
  • Posts: 24

Re: TLS Disconnect From Application Server

I can't test on outbound standard mail ports like 25 or 587, so I must use a custom port that Google do not block. However I can set up a copy of the PHP application on a different server not hosted with Google and try the standard ports. smile

I will let you know the results!

Kawaii's Website

4 Reply by Kawaii

  • Kawaii
  • Kawaii
  • Member
  • Offline
  • From: Cyberia
  • Registered: 2016-02-15
  • Posts: 24

Re: TLS Disconnect From Application Server

This was a problem with the configuration of the app, not the app itself. I made a mistake and used the IP of the MX server instead of the hostname that the TLS certificate was issued to, so the app didn't trust that it was the correct server. wink

One last thing, the mail header reveals the origin IP of my app server:

Wed, 14 Jun 2017 22:55:34 +0200 (CEST)
Received: from app.server.com (00.000.000.000.bc.googleusercontent.com [000.000.000.00])
by mx.server.com (Postfix) with ESMTPSA id XXXXXXXXXX

How do I remove this particular header? smile
Is it possible to remove a header for only one particular sender or domain?

Kawaii's Website

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: TLS Disconnect From Application Server

Why do you want to remove this mail header?

6 Reply by Kawaii

  • Kawaii
  • Kawaii
  • Member
  • Offline
  • From: Cyberia
  • Registered: 2016-02-15
  • Posts: 24

Re: TLS Disconnect From Application Server

ZhangHuangbin wrote:

Why do you want to remove this mail header?

My app server sits behind Cloudflare, a reverse proxy and denial of service protection platform so having the mail header with the origin IP creates a huge security vulnerability.

Kawaii's Website

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: TLS Disconnect From Application Server

I don't think let others know your IP address is a SECURITY vulnerability.

8 Reply by Kawaii

  • Kawaii
  • Kawaii
  • Member
  • Offline
  • From: Cyberia
  • Registered: 2016-02-15
  • Posts: 24

Re: TLS Disconnect From Application Server

ZhangHuangbin wrote:

I don't think let others know your IP address is a SECURITY vulnerability.

The point is that I put my website behind a proxy system to hide the IP, so that it is protected from DDOS. If someone can just check the email header of an email from my website and see the true origin IP then it's pointless paying for protection. smile

Kawaii's Website

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: TLS Disconnect From Application Server

*) Is it a public IP or just a private IP (like 192.168.x.x)?
*) You can search this forum, people already got it working with postfix header_checks rule.