at 10.02.2021 we checked our system by qualys SSL LABS > > Result B (in yellow)
That’s why we changed our TSL Policy to 2020-05-10 TLS1.2
Now our result is A
All looks OK. But after a while we remarked, that our QNAP-NAS don’t send reports (backups, updates, errors …).
We checked QNAP configuration of notification. Nothing to reject. smtp-server 10.2.2.9:587 with TLS.
But if we press the test-button there is an error-message “Check SMTP configuration…”
NAS IP 172.20.20.254 in our green . Nethserver is in DMZ orange. Firewall is IPFire.
Till 09.02.2021 NAS sent reports - but where is the mistake of our configuration ?
QNAP TS-212P
QTS 4.3.3.1432
I tested email via telnet from NAS … and this well received at admin!
[~] # telnet -l user00 mail.firma.lan 587
220 mail.firma.lan ESMTP Postfix
EHLO mail.firma.lan
250-mail.firma.lan
250-PIPELINING
250-SIZE 50000000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:user00@firma.lan
250 2.1.0 Ok
RCPT TO:admin@firma.lan
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: TEST-mail
Das ist ein Test via Telnet!
.
250 2.0.0 Ok: queued as 841A445873
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
excuse me - I’m not competent to find this information.
But if nethserver is set to TLS policy 2018-10-01 testmail from QNAP-NAS is possible !
If I set nethserver to TSL policy 2020-05-10 (TSL1.2) testmail failed.
NAS mail client is set in
Systemsettings > General Settings > Notifications >
email account: Custom
SMTP server: < IP of nethserver >
Port number: 587
E-mail : user00@firma.lan
User name : user00
Password : ************
Secure connection: TSL
That’s all
Is it possible on nethserver only in local LAN enable lower TSL1.2. ? Or is it a risk ?
The users user00@firma.lan and admin@firma.lan send only emails in local LAN.
IMVHO if the server is reachable from internet, allowing “less” than TLS 1.2 might be not the better idea.
Therefore, if NAS talks to NethServer via “not untrusted” network (not Red, not Orange) maybe you can keep the TLS policy more recent and ask your NAS to talk to SMTP without encryption.
AFAIK NethServer could allow plain connection from selected network zones.
It’s in the Email Relay Configuration Details. You may allow just the NAS IP or allow relay from trusted networks like the green one. Here is the documentation.
Hello,
today there’s an answer from QNAP-Support TLS1.2 on QNAP TS-212P (QTS 4.3.3.1432)
Nein, kann Sie nicht. Die NAS ist zu alt und die Firmware/Gerät schon lange aus dem Support ausgelaufen.
That means: Buy a new NAS! and hope …
There is no chance - I’m frustrated.
And on nethserver I’ve allowed trusted network (172.20.20.0/24).
The system reports from all servers in this network arrive safely yet per good old blat.exe and other clients, only QNAP has a problem, can’t understand.
Now I found syntax for testing TLS …
Per ssh to QNAP-NAS console: