Community discussions

MikroTik App
Topic Author
Posts: 29
Joined: Sun Jan 22, 2012 6:26 pm
Location: Italy

v6.6 e-mail and TLS and STARTTLS

Sat Nov 09, 2013 3:53 pm

I have an RB750GL with ROS v6.6

I am trying to configure my RB to send emails to a email server which only accepts plain or SSL/TLS connectsion. The server does not offer or accept STARTTLS.

The following configurations sends emails over a plain connection - TLS is not started (because the server doesnt offer STARTTLS). I verified this by mirroring the egress port and using wireshark.
/tool e-mail
set address= last-status=succeeded \
    password=xxxxxx port=587 start-tls=yes user=xxxxx

/tool e-mail> /tool e-mail send start-tls=yes body="testSTARTTLS" subject="testtest"
I note that in going from ROS v5 to v6 the email TLS related parameters have changed their names from "tls" to "start-tls". I assume that this means that the RB will now only use STARTTLS and not straight TLS.

Does anyone know how I can send emails over a TLS connection with a server that doesnt accept STARTTLS?
just joined
Posts: 1
Joined: Sun Jan 06, 2013 3:53 am

Re: v6.6 e-mail and TLS and STARTTLS

Wed May 21, 2014 6:12 am

I don't, but I thank you so much for your post. I have been beating my head against the wall for weeks trying to determine why my script that used to send email no longer works. I have looked at many forums and posts, made multiple changes to my script, reviewed the manual, all to no avail. And then I saw your post which mentioned that the parameter tls had been changed to start-tls. I changed the parameter and the script works! Thank you again.

I duplicated the /tool e-mail send in a terminal session and could never get the OS to accept the tls parameter.
User avatar
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: v6.6 e-mail and TLS and STARTTLS

Wed May 21, 2014 8:28 am

there are 3 modes:
1) no encryption - plain connection to port #25
2) starttls session - connection is created and messages exchanged, after what STARTTLS is negotiated from now on, full encryption on port #25 or #587
3) ssl/tls - after connection STARTTLS session is established and full encryption on port #465

port numbers mentioned are the usual ones that are used.
Topic Author
Posts: 29
Joined: Sun Jan 22, 2012 6:26 pm
Location: Italy

Re: v6.6 e-mail and TLS and STARTTLS

Wed May 21, 2014 9:06 am

Thanks for the reply.

I still don't understand how to send email over TLS when the email server does not offer STARTTLS.

Many thanks

User avatar
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Sat Nov 17, 2012 12:17 pm

Re: v6.6 e-mail and TLS and STARTTLS

Wed May 21, 2014 11:38 am

I just tested this and RouterOS's "start-tls=yes" feature doesn't seem to handle SSL ports. Using openssl's s_server feature with "-msg -debug -state" flags I get this output:
Using default temp DH parameters
Using default temp ECDH parameters
bad gethostbyaddr
SSL_accept:before/accept initialization
read from 0x8014071d0 [0x8015d4000] (11 bytes => 6 (0x6))
0000 - 52 53 45 54 0d 0a                                 RSET..
read from 0x8014071d0 [0x8015d4006] (5 bytes => 5 (0x5))
0000 - 51 55 49 54 0d                                    QUIT.
SSL_accept:error in SSLv2/v3 read client hello A
10761:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_srvr.c:578:
shutting down SSL
To me, this shows that instead of negotiating SSL, the RouterOS e-mail software is expecting the usual 200 welcome message from the email server and when it's not received it tries a RSET then eventually gives up.

I agree I can't see any option to do SSL as soon as the socket connects - looks like it's STARTTLS or nothing. I can't even find any reference to Virgilio even offering SSL or TLS!

Who is online

Users browsing this forum: AndyGs, Bing [Bot], eworm, repmohc, rioven, Znevna and 94 guests