v6.6 e-mail and TLS and STARTTLS

sja · November 9, 2013, 1:53pm

I have an RB750GL with ROS v6.6

I am trying to configure my RB to send emails to a email server which only accepts plain or SSL/TLS connectsion. The server does not offer or accept STARTTLS.

The following configurations sends emails over a plain connection - TLS is not started (because the server doesnt offer STARTTLS). I verified this by mirroring the egress port and using wireshark.

/tool e-mail
set address=212.48.20.24 from=xxxxx@virgilio.it last-status=succeeded \
    password=xxxxxx port=587 start-tls=yes user=xxxxx

/tool e-mail> /tool e-mail send start-tls=yes to=xxxxx@gmail.com body="testSTARTTLS" subject="testtest"

I note that in going from ROS v5 to v6 the email TLS related parameters have changed their names from “tls” to “start-tls”. I assume that this means that the RB will now only use STARTTLS and not straight TLS.

Does anyone know how I can send emails over a TLS connection with a server that doesnt accept STARTTLS?

brucebbridgesjr · May 21, 2014, 3:12am

I don’t, but I thank you so much for your post. I have been beating my head against the wall for weeks trying to determine why my script that used to send email no longer works. I have looked at many forums and posts, made multiple changes to my script, reviewed the manual, all to no avail. And then I saw your post which mentioned that the parameter tls had been changed to start-tls. I changed the parameter and the script works! Thank you again.

I duplicated the /tool e-mail send in a terminal session and could never get the OS to accept the tls parameter.

janisk · May 21, 2014, 5:28am

there are 3 modes:

no encryption - plain connection to port #25
starttls session - connection is created and messages exchanged, after what STARTTLS is negotiated from now on, full encryption on port #25 or #587
ssl/tls - after connection STARTTLS session is established and full encryption on port #465

port numbers mentioned are the usual ones that are used.

sja · May 21, 2014, 6:06am

Thanks for the reply.

I still don’t understand how to send email over TLS when the email server does not offer STARTTLS.

Many thanks

Stephen

dohmniq · May 21, 2014, 8:38am

I just tested this and RouterOS’s “start-tls=yes” feature doesn’t seem to handle SSL ports. Using openssl’s s_server feature with “-msg -debug -state” flags I get this output:

Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
bad gethostbyaddr
SSL_accept:before/accept initialization
read from 0x8014071d0 [0x8015d4000] (11 bytes => 6 (0x6))
0000 - 52 53 45 54 0d 0a                                 RSET..
read from 0x8014071d0 [0x8015d4006] (5 bytes => 5 (0x5))
0000 - 51 55 49 54 0d                                    QUIT.
SSL_accept:error in SSLv2/v3 read client hello A
ERROR
10761:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_srvr.c:578:
shutting down SSL
CONNECTION CLOSED

To me, this shows that instead of negotiating SSL, the RouterOS e-mail software is expecting the usual 200 welcome message from the email server and when it’s not received it tries a RSET then eventually gives up.

I agree I can’t see any option to do SSL as soon as the socket connects - looks like it’s STARTTLS or nothing. I can’t even find any reference to Virgilio even offering SSL or TLS!