STARTTLS Unsupported
Issue #774
closed
The SSL-Tools.net STARTTLS test for poste.io fails, stating that STARTTLS is unsupported. See the result for poste.io’s own mailserver: https://ssl-tools.net/mailservers/poste.io
I’m not sure if this is:
- a fault of the tool
- not actually a fault in poste.io (e.g. STARTTLS works fine, just the method this tool uses to test doesn’t)
- actually a fault in poste.io
Thanks.
Comments (5)
-
repo owner
-
reporter
Thanks for looking into this - we’re now using Poste as our mail server so I just wanted to super sure there weren’t any issues with our setup.
Does this mean there’s no issue? I was trying to find a major mail server (Google, Yahoo, etc) that failed but couldn’t (which was why I thought the fault could potentially lie with Poste).
-
We have the same issue with the pro version and are a little bit concerned… :S
-
repo owner
- changed status to closed
Foddy it is no issue - it is just mechanism that guarantees receiving emails even from faulty clients. It works like that
- remote delivery server connects and issue STARTTLS
- @$!#@!$@#$!
- remote delivery server disconnects due TLS communication issues (old TLS/SSL or no matching cyphers)
- Haraka disables STARTTLS for that IP
- remote delivery server reconnects and do not issue STARTTLS, tries deliver instead
Problem is that it is kind of incompatible with these tests if they purposefully try to connect with old cyphers.
-
I think this can be major problem.
If there is single faulty client in your network (eg. in company behind NAT) STARTTLS may be disabled by mailserver for whole IP address for 1 hour
[NOTICE] [tls] STARTTLS failed. Marking XXX.XXX.XXX.XXX as non-TLS host for 3600 secondsThen other clients in same network (behind same ip address) can’t use TLS as well (and can’t send email at all).
- Log in to comment
Well, logs are self explaining in this case
ssl tools is trying to connect with invalid cyphers I guess. I am not sure if there is way to handle these obsolete clients and respond to tests in right way