No email from NAS since TSLv.1.2

Support
1

NethServer Version: 7.9.2009 (final)
Module: postfix (SMTP)

Hallo,

at 10.02.2021 we checked our system by qualys SSL LABS > > Result B (in yellow)
That’s why we changed our TSL Policy to 2020-05-10 TLS1.2
Now our result is A
All looks OK. But after a while we remarked, that our QNAP-NAS don’t send reports (backups, updates, errors …).
We checked QNAP configuration of notification. Nothing to reject. smtp-server 10.2.2.9:587 with TLS.
But if we press the test-button there is an error-message “Check SMTP configuration…”
NAS IP 172.20.20.254 in our green . Nethserver is in DMZ orange. Firewall is IPFire.
Till 09.02.2021 NAS sent reports - but where is the mistake of our configuration ?
QNAP TS-212P
QTS 4.3.3.1432
I tested email via telnet from NAS … and this well received at admin!

[~] # telnet -l user00 mail.firma.lan 587
    220 mail.firma.lan ESMTP Postfix
    EHLO mail.firma.lan
    250-mail.firma.lan
    250-PIPELINING
    250-SIZE 50000000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    MAIL FROM:user00@firma.lan
    250 2.1.0 Ok
    RCPT TO:admin@firma.lan
    250 2.1.5 Ok
    DATA
    354 End data with <CR><LF>.<CR><LF>
    Subject: TEST-mail

Das ist ein Test via Telnet!

.
250 2.0.0 Ok: queued as 841A445873
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
2

AFAYK, does this version of QTS supports TSL 1.2 or 1.3?

3

excuse me - I’m not competent to find this information.
But if nethserver is set to TLS policy 2018-10-01 testmail from QNAP-NAS is possible !
If I set nethserver to TSL policy 2020-05-10 (TSL1.2) testmail failed.
NAS mail client is set in
Systemsettings > General Settings > Notifications >

email account: Custom
SMTP server: < IP of nethserver >
Port number: 587
E-mail : user00@firma.lan
User name : user00
Password : ************
Secure connection: TSL

That’s all
Is it possible on nethserver only in local LAN enable lower TSL1.2. ? Or is it a risk ?
The users user00@firma.lan and admin@firma.lan send only emails in local LAN.

4

IMVHO if the server is reachable from internet, allowing “less” than TLS 1.2 might be not the better idea.
Therefore, if NAS talks to NethServer via “not untrusted” network (not Red, not Orange) maybe you can keep the TLS policy more recent and ask your NAS to talk to SMTP without encryption.
AFAIK NethServer could allow plain connection from selected network zones.

5

That’s the problem. Nethserver is in orange (DMZ) and NAS in green network.
How to set nethserver allow plain connection from green network ?

6

@rowihei

Hi

Maybe you could try to put that NAS in “Trusted Networks”, using Subnetmask 255.255.255.255 for a single host…

Maybe it can help?

My 2 cents
Andy

7

It’s in the Email Relay Configuration Details. You may allow just the NAS IP or allow relay from trusted networks like the green one. Here is the documentation.

image
image1369×702 45.9 KB

8

Thank you very much, but …

I know this site - allowed relay from trusted network was set.
Now I added NAS IP to the list - but testmail failed again.
mail.log show this:

Feb 23 10:59:25 msrv postfix/smtpd[3489]: connect from unknown[172.20.20.254]
Feb 23 10:59:25 msrv rspamd[366]: <870283>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Feb 23 10:59:25 msrv postfix/smtpd[3489]: SSL_accept error from unknown[172.20.20.254]: -1
Feb 23 10:59:25 msrv postfix/smtpd[3489]: warning: TLS library problem: 3489:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1435:
Feb 23 10:59:25 msrv postfix/smtpd[3489]: lost connection after STARTTLS from unknown[172.20.20.254]
Feb 23 10:59:25 msrv postfix/smtpd[3489]: disconnect from unknown[172.20.20.254]
Feb 23 10:59:25 msrv rspamd[366]: <870283>; milter; rspamd_milter_process_command: got connection from 172.20.20.254:49675
Feb 23 10:59:25 msrv rspamd[366]: <870283>; proxy; proxy_milter_finish_handler: finished milter connection

I’m confused - tried ports 25 | 587, tried with SSL | TSL | no encryption … every combination.
But nothing - tomorrow I try again, today it’s enough…

9

Is it possible to update the firmware of the NAS?

I’m afraid the NAS wants some old SSL cipher.

There’s an answer to your question in QNAP forum, did you already go through to check if TLS1.2 is supported?

https://forum.qnap.com/viewtopic.php?t=159655&p=780973#p780973

With a custom template the TLS policy settings of only postfix could be changed but better for security would be to update the NAS…

10

Hello,
today there’s an answer from QNAP-Support TLS1.2 on QNAP TS-212P (QTS 4.3.3.1432)

Nein, kann Sie nicht. Die NAS ist zu alt und die Firmware/Gerät schon lange aus dem Support ausgelaufen.

That means: Buy a new NAS! and hope …
There is no chance - I’m frustrated.
And on nethserver I’ve allowed trusted network (172.20.20.0/24).
The system reports from all servers in this network arrive safely yet per good old blat.exe and other clients, only QNAP has a problem, can’t understand.
Now I found syntax for testing TLS …
Per ssh to QNAP-NAS console:

openssl ciphers -v |grep TLS
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
DH-RSA-AES256-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA256
DH-DSS-AES256-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
DH-RSA-AES128-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(128) Mac=SHA256
DH-DSS-AES128-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256

Looks like TLSv1.2 is there, but why the Problems ?