[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 39036
  • Last Modified:

530 5.7.0 Must issue a STARTTLS command first


I have RedHat 9 and I’ve followed the ‘Gmail on Home Linux Box using Postfix and Fetchmail” instructions with what I thought was great success. (I didn’t see any errors through the process)  I’ve got the fetchmail piece working just fine, but I just can’t seem to find what I’ve done wrong with the postfix config.  I’ve search google for the error below  and got some hits but no answers that fixed my problem.  You can see the errorlog below.

Postfix Error: 530 5.7.0 Must issue a STARTTLS command first

My Network Arch
lnxsrv01.domain01.sw(RH9, Postfix) --> Cisco Firewall--> INTERNET-->smtp.google.com

Can you point me in a direction to figure out what is causing this.

Thanks for your help
Dave

 /var/log/maillog
Apr  7 14:57:54 lnxsrv01 postfix/qmgr[4584]: A5BF21C050: from=<root@domain01.sw>, size=428, nrcpt=1 (queue active)
Apr  7 14:57:54 lnxsrv01 postfix/smtp[4587]: initializing the client-side TLS engine
Apr  7 14:57:54 lnxsrv01 postfix/smtp[4587]: A5BF21C050: to=<user100@companyx.com>, relay=smtp.gmail.com[64.233.167.109], delay=10, status=bounced (host smtp.gmail.com[64.233.167.109] said: 530 5.7.0 Must issue a STARTTLS command first v50sm12660pyv (in reply to MAIL FROM command))
Apr  7 14:57:54 lnxsrv01 postfix/cleanup[4585]: D987D1C052: message-id=<20060407185754.D987D1C052@lnxsrv01.domain01.sw>
Apr  7 14:57:54 lnxsrv01 postfix/qmgr[4584]: D987D1C052: from=<>, size=2346, nrcpt=1 (queue active)
Apr  7 14:57:54 lnxsrv01 postfix/qmgr[4584]: A5BF21C050: removed
Apr  7 14:57:55 lnxsrv01 postfix/smtp[4587]: D987D1C052: to=<root@domain01.sw>, relay=smtp.gmail.com[64.233.167.111], delay=1, status=bounced (host smtp.gmail.com[64.233.167.111] said: 530 5.7.0 Must issue a STARTTLS command first d13sm44592pyd (in reply to MAIL FROM command))
Apr  7 14:57:55 lnxsrv01 postfix/qmgr[4584]: D987D1C052: removed

Not to confuse the issue but I was doing some trouble shooting by taking postfix out of the equation by using the openssl s_client command and I get the following error message from smtp.gmail.com . 502 5.5.1 Unrecognized command after the STARTTLS has been issued which results in SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:601  Does this help?


lnxsrv01:/root# openssl s_client -starttls smtp -debug -CApath /usr/share/ssl/certs/ -connect smtp.gmail.com:25
CONNECTED(00000003)
read from 08194320 [08174D80] (8192 bytes => 39 (0x27))
0000 - 32 32 30 20 2a 2a 2a 2a-2a 2a 2a 2a 2a 2a 2a 2a   220 ************
0010 - 2a 2a 2a 2a 2a 2a 2a 2a-2a 2a 2a 2a 2a 2a 2a 2a   ****************
0020 - 2a 2a 2a 2a 2a 0d 0a                                            *****..
write to 08194320 [BFFFEAA0] (21 bytes => 21 (0x15))
0000 - 45 48 4c 4f 20 73 6f 6d-65 2e 68 6f 73 74 2e 6e   EHLO some.host.n
0010 - 61 6d 65 0d 0a                                                   ame..
read from 08194320 [08174D80] (8192 bytes => 106 (0x6A))
0000 - 32 35 30 2d 6d 78 2e 67-6d 61 69 6c 2e 63 6f 6d   250-mx.gmail.com
0010 - 20 61 74 20 79 6f 75 72-20 73 65 72 76 69 63 65    at your service
0020 - 0d 0a 32 35 30 2d 53 49-5a 45 20 32 30 39 37 31   ..250-SIZE 20971
0030 - 35 32 30 0d 0a 32 35 30-2d 38 42 49 54 4d 49 4d   520..250-8BITMIM
0040 - 45 0d 0a 32 35 30 2d 58-58 58 58 58 58 58 41 0d   E..250-XXXXXXXA.
0050 - 0a 32 35 30 20 45 4e 48-41 4e 43 45 44 53 54 41   .250 ENHANCEDSTA
0060 - 54 55 53 43 4f 44 45 53-0d 0a                               TUSCODES..
write to 08194320 [BFFFEAA0] (10 bytes => 10 (0xA))
0000 - 53 54 41 52 54 54 4c 53-0d 0a                               STARTTLS..
read from 08194320 [08172D78] (8192 bytes => 47 (0x2F))
0000 - 35 30 32 20 35 2e 35 2e-31 20 55 6e 72 65 63 6f    502 5.5.1 Unreco
0010 - 67 6e 69 7a 65 64 20 63-6f 6d 6d 61 6e 64 20 32    gnized command 2
0020 - 34 73 6d 33 32 38 30 30-39 31 6e 7a 6e 0d 0a       4sm3280091nzn..
write to 08194320 [081AF8D0] (148 bytes => 148 (0x94))
0000 - 80 92 01 03 01 00 69 00-00 00 20 00 00 39 00 00   ......i... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03   ..3..2../.......
0030 - 00 80 00 00 66 00 00 05-00 00 04 01 00 80 08 00   ....f...........
0040 - 80 00 00 63 00 00 62 00-00 61 00 00 15 00 00 12   ...c..b..a......
0050 - 00 00 09 06 00 40 00 00-65 00 00 64 00 00 60 00   .....@..e..d..`.
0060 - 00 14 00 00 11 00 00 08-00 00 06 04 00 80 00 00   ................
0070 - 03 02 00 80 b0 c3 5e 1d-87 5a ea 1c 64 d5 ef 94   ......^..Z..d...
0080 - 17 c0 9b b0 84 cc a5 68-75 2f 18 7e 76 1d ea 3f   .......hu/.~v..?
0090 - 2d dc 1c c4                                       -...
read from 08194320 [081B4E30] (7 bytes => 7 (0x7))
0000 - 35 30 32 20 35 2e 35                              502 5.5
11686:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:601:
0
Surefoot3
Asked:
Surefoot3
2 Solutions
 
Cyclops3590Commented:
first lets turn up the logging for postfix.  In the master.cf file one of the first lines (uncommented that is) you should see is something like this:
smtp  inet - - - - smtpd
add to this line so that the end says "smtpd -v -v" instead of just "smtpd"

this will turn on verbose logging so that you will be able to see the entire smtp communication in the logs.

WARNING: if you server has a lot of traffic than do not have this active for long or your logs will really balloon out of control.
After you get that changed restart postfix (not just a reload; my personal preference to ensure the entire postfix daemon is running correctly)
then post the relevant logs.

you might want to post a sanitized copy of the main.cf as well.  i don't want to speculate aon what I think it is until I get a little more information.
0
 
NopiusCommented:
Read gmail docs.
http://mail.google.com/support/bin/answer.py?answer=13285
STARTTLS command  is available on port 587, not on 25.
0
 
Cyclops3590Commented:
in which case should be a simple change of the relay you are using.  Instead of "smtp.google.com" it should just be "smtp.google.com:587"
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
ridCommented:
I don't think the gmail smtp server listens on port 25 for mail, anyway, but a custom port. It also uses SMTPAUTH, if I'm not mistaken. At least for regular, non-paying customers.
/RID
0
 
Cyclops3590Commented:
Surefoot3, are you finding any of this to be any help at all?
0
 
Surefoot3Author Commented:
Thank you all for the help.  I actually solved this myself (I continued working the problem) by buying the "The book of Postfix" and finding the out how to turn on deeper level logging.

I'm going to award 450 points to Cyclops3590 because He/She would have lead me down the right path to figuring out the multiple issues that I had in my configuration and 50 points to Nopius for picking up the port 587 issue i had.  

The answer was multi-layered and I began to find it out by locating where to turn on the additional logging for the smtp process.  In my scenorio, postfix was acting as the client connecting to google smtpd server so I found the master.cf file and modified the smtp line to include an smtp -v on it.  Then the /var/log/maillog started include a bunch of good error messages to help me track it down.

A. Turn on logging.
master.cf
smtp      unix  -       -       n       -       -       smtp -v

B. main.cf  changes.  ( see my comment below on what I changed to get it to work)

relayhost = [smtp.gmail.com]:587    --> Can't use the default port with gmail, it must be 587
disable_dns_lookkups = yes
queue_directory = /var/spool/postfix
program_directory = /usr/libexec/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail
mail_owner = postfix
default_privs = nobody
debug_peer_level = 1
local_destination_concurrency_limit = 2
default_destination_concurrency_limit = 20
mynetworks = 10.1.1.0/24, 127.0.0.0/8
myhostname = lnxsrv01.domain01.sw
mydomain = domain01.sw
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, $mydomain
smtp_tls_loglevel = 1
smtp_enforce_tls = no               ---> I had this set to YES and had to change to NO.
                                               ---- smtp.gmail.com is actually a CNAME value and this postfix setting forces a
                                               ---- comparision of the dns A record gmail-smtp.l.google.com that smtp.gmail.com
                                               ---- CNAME points to with the common name (CN) value in the public certificate i
                                               ---- downloaded from gmail.com.   The CN value in the certificate is smtp.gmail.com
                                               ---- so the tls session was not authenticating gmails public certificate.  
                                               ----  dig smtp.gmail.com  
                                               ----       smtp.gmail.com.     300     IN      CNAME   gmail-smtp.l.google.com.
                                               ----       gmail-smtp.l.google.com. 300    IN      A       64.233.163.111
                                               ----      gmail-smtp.l.google.com. 300    IN      A       64.233.163.109

smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_certfile = /etc/postfix/lnxsrv01-cert.pem
smtp_tls_keyfile = /etc/postfix/lnxsrv01-key.pem
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd  ---> the next changes took place in here.  Because the
                                                                                         ---   relay host value changed above, postfix actually
                                                                                         ---   looks for the exact same value in your passwd file
                                                                                         ---   my sasl_passwd file contains the following
                                                                                         ---  
                                                                                         ---  [smtp.gmail.com]:587    xxxxxx@gmail.com:yyyyyy
smtp_sasl_security_options = noanonymous
inet_interfaces = all
default_transport = smtp
sender_canonical_maps = hash:/etc/postfix/sender_canonical
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
transport_maps = hash:/etc/postfix/transport
0
 
Cyclops3590Commented:
for future ref, i'm a he.

You'll love that book.  I own 5 postfix books and that one is no contest the best one I've come across for explaining everything in postfix.
0
 
ikfrancisCommented:
I had the same problem but using IMAP in Outlook 2003. The Google specific help page is: - http://mail.google.com/support/bin/answer.py?answer=77661&topic=12920.

Kind regards
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now