Amazon SES "/SECURITY=REQUIRED set, but TLS is not available"

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Amazon SES "/SECURITY=REQUIRED set, but TLS is not available"

Szépe Viktor

Hello!

I hope Amazon SES is "supported" by courier.

0) courier 0.73.1-1.6 libssl 1.0.1t-1+deb8u6

1) SES requires STARTTLS, so without /SECURITY=REQUIRED
SES says: 530 Must issue a STARTTLS command first

2) TLS_VERIFYPEER=NONE in courierd

3) openssl s_client -connect email-smtp.us-west-2.amazonaws.com:587  
-starttls smtp -crlf
says:

subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com,  
Inc./CN=email-smtp.us-west-2.amazonaws.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust  
Network/CN=Symantec Class 3 Secure Server CA - G4

Verify return code: 0 (ok)

4) ECDHE-RSA-AES256-GCM-SHA384 is used during s_client, it is in  
TLS_CIPHER_LIST

5) in esmtproutes:
: email-smtp.us-west-2.amazonaws.com,587 /SECURITY=REQUIRED

6) telnet email-smtp.us-west-2.amazonaws.com 587
220 email-smtp.amazonaws.com ESMTP SimpleEmailService-1868680227  
MmKC14V2dPS1oRPRtSjF

Courier says: /SECURITY=REQUIRED set, but TLS is not available
Could it be that Courier compares the SMTP banner  
(email-smtp.amazonaws.com) to the certificate CN, not the specified  
host name (email-smtp.us-west-2.amazonaws.com) ?

Thank you!



SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
+36-20-4242498  [hidden email]  skype: szepe.viktor
Budapest, III. kerület





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|

Re: Amazon SES "/SECURITY=REQUIRED set, but TLS is not available"

Sam Varshavchik
SZÉPE Viktor writes:

> 6) telnet email-smtp.us-west-2.amazonaws.com 587
> 220 email-smtp.amazonaws.com ESMTP SimpleEmailService-1868680227
> MmKC14V2dPS1oRPRtSjF
>
> Courier says: /SECURITY=REQUIRED set, but TLS is not available
> Could it be that Courier compares the SMTP banner
> (email-smtp.amazonaws.com) to the certificate CN, not the specified
> host name (email-smtp.us-west-2.amazonaws.com) ?

Looks like that server uses a self-signed certificate, and if it's not added  
to your trusted certificate store, TLS negotiation will fail.

You would think that Amazon has the resources to pay itself a few bucks each  
year, for a properly signed certificate.

You'll have to reset TLS_VERIFYPEER to NONE, in the esmtpd-ssl config file.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

attachment0 (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Amazon SES "/SECURITY=REQUIRED set, but TLS is not available"

Szépe Viktor
Idézem/Quoting Sam Varshavchik <[hidden email]>:

> SZÉPE Viktor writes:
>
>> 6) telnet email-smtp.us-west-2.amazonaws.com 587
>> 220 email-smtp.amazonaws.com ESMTP SimpleEmailService-1868680227
>> MmKC14V2dPS1oRPRtSjF
>>
>> Courier says: /SECURITY=REQUIRED set, but TLS is not available
>> Could it be that Courier compares the SMTP banner
>> (email-smtp.amazonaws.com) to the certificate CN, not the specified
>> host name (email-smtp.us-west-2.amazonaws.com) ?
>
> Looks like that server uses a self-signed certificate, and if it's  
> not added to your trusted certificate store, TLS negotiation will  
> fail.
>
> You would think that Amazon has the resources to pay itself a few  
> bucks each year, for a properly signed certificate.
>
> You'll have to reset TLS_VERIFYPEER to NONE, in the esmtpd-ssl config file.

Thank you for your answer.

$ grep ^TLS_VERIFYPEER /etc/courier/*
/etc/courier/courierd:TLS_VERIFYPEER=NONE
/etc/courier/esmtpd:TLS_VERIFYPEER=NONE

esmtpd-ssl is not installed (on Debian it is the courier-mta-ssl package)

Amazon has a properly signed certificate.

Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network,  
CN=Symantec Class 3 Secure Server CA - G4

You may get it by
openssl s_client -connect email-smtp.us-west-2.amazonaws.com:587  
-starttls smtp -crlf

Please try adding this to esmtproutes
#: email-smtp.us-west-2.amazonaws.com,587 /SECURITY=REQUIRED

and this to esmtpauthclient
email-smtp.us-west-2.amazonaws.com,587 SOMEID SOMEKEY

and try to send a simple email with courier.

I do hope Amazon SES is supported.

Thank you!



SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
+36-20-4242498  [hidden email]  skype: szepe.viktor
Budapest, III. kerület





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|

Re: Amazon SES "/SECURITY=REQUIRED set, but TLS is not available"

Sam Varshavchik
SZÉPE Viktor writes:

>
> Thank you for your answer.
>
> $ grep ^TLS_VERIFYPEER /etc/courier/*
> /etc/courier/courierd:TLS_VERIFYPEER=NONE
> /etc/courier/esmtpd:TLS_VERIFYPEER=NONE

Look in /proc and verify what TLS_VERIFYPEER is set to. This is a  
certificate verification error, and TLS_VERIFYPEER=NONE disables it.

Also verify that TLS_TRUSTCERTS is pointing to your trusted certificate  
authority list. With the CA certs on Fedora in /etc/pki/tls/cert.pem:

$ addcr | TLS_VERIFYPEER=PEER TLS_TRUSTCERTS=/etc/pki/tls/cert.pem ./couriertls -host=email-smtp.us-west-2.amazonaws.com -port=587 -protocol=smtp
220 email-smtp.amazonaws.com ESMTP SimpleEmailService-1868680227  
mCOkgyUFhRGTqHk4KAqP
EHLO octopus.email-scan.com
250-email-smtp.amazonaws.com
250-8BITMIME
250-SIZE 10485760
250-STARTTLS
250-AUTH PLAIN LOGIN
250 Ok
STARTTLS
220 Ready to start TLS
EHLO www.courier-mta.com
250-email-smtp.amazonaws.com
250-8BITMIME
250-SIZE 10485760
250-STARTTLS
250-AUTH PLAIN LOGIN
250 Ok




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

attachment0 (817 bytes) Download Attachment