Error sending email with 2020 policy tls 1.2

Hi all, on my server I had to necessarily change the TLS policy in the version as per attachment as several applications that use e-mail report GSSapi error for authentication in ssl / tls. That is, by loading the latest policies in 2020, programs such as thunderbird or agent veeam refrain from sending emails with ssl option while they work in the clear. Activating the older policies resume working. This happens for either ports 587 or 465. _The only device that works in ssl is an iphone xr and the mail app.

Yes, some apps still don’t support it but Thunderbird should work with the new policy.

I think you don’t need gssapi, here are my working TB SMTP settings:

grafik

1 Like

@france does your server have a valid certificate for the hostname and/or the public ip?
Are your application correctly configured or capable to accept a given certificate?
(Maybe the thread title could receive a little makeup)

1 Like

Hi Markuz, thanks for the info. I use thunderbird and have no problems with TLS, but some applications report an error. when I change the old TLS policy everything starts working again

So the lack of TLS 1.2 support is “fault” of the application? :slight_smile:
These applications can be explicitated?

1 Like

hello, your observation is correct. In fact, I use a ddns name with let’s encrypt (for some time). Neth server uses by default the let’s encrypt certificate and on the firewall the ddns name is declared as internal host.

Sorry Michael I don’t understand what you mean. Maybe you wanted to write if the applications have additional parameters for the cipher settings?

I’ll try to explain what i am meaning…
If only some application (here not reported the name) have issues using TLS 1.2, maybe this application do not support TLS 1.2, so the refuse to connect to SMTP is due to the lack of support of TLS 1.2 by the application.

Or… I don’t know.
Your setup is not explained, the name of the applications are not expressed, maybe there can be some workaround to make NethServer act as relay with fewer security restrictions.

About a year ago i checked out a small list of some settings that should be checked and restored if somebody is taking advantage of the relaying of the server.
Maybe this list could be used for a little security flaw for allowing some of your applications to use NethServer as SMTP Relay. Only if there’s a small enough fence for the applications, like DMZ, Green, or a static public addresses.
Otherwise… you need to disclose more details for receive a security-reasonable suggestion.

1 Like

Thanks for the reply . The applications that generated the error are thunderbird and a VEEAM agent. It is clear to me that the problem is derived from the tls 1.2 support, I had suspected this based on you have postfix log reporting authentication error. Relay for networks is actually disabled by default, but in the options panel you can specify to allow relay for trusted networks. Your explanation was clear and thorough.