e-Mail: option to turn StartTLS off needed

[Stefan Müller]

Greetings and thanks so much for keeping these precious boxes alive! My ancient DNS-323 has served me perfectly well over the past few years as silent off-site data-vault. In the course of adding a less ancient DNS-320 to the family, I came across great difficulties when configuring the e-mail set-up that I had left untouched so far.

Testing from the command line with 'msmtp --debug' leaves msmtp stuck with the last line reading "reading recipients from the command line and the mail". This is not very informative but is caused by the fact that msmtp enables StartTLS by default.

Long story short, I can only send e-mail through my provider when StartTLS is turned off in /etc/msmtprc. The necessary stanza is 'tls_starttls off'.

I can put it there via SSH and have the settings saved but every e-mail test will re-set it. So that is not a real solution.

I do not know much about StartTLS. The man page of msmtp explains it to some extent and I remember having it seen in some e-mail clients like Thunderbird, so it must be pretty well-known.

João, do you see a possibility to include such a setting into Alt-F somehow?

Cheers!

sm

[João Cardoso]

I'm not sure if the issue is not really with the SSL certificates. Your mail server certificates might have expired or changed. Alt-F ships with a set of really old certificates. But that might be another issue.

To solve the problem at hand you can 

1-put the "tls_starttls off" directive in the /etc/msmtprc file and do not use the Mail Setup webUI afterwards. You can test mail by just typing "echo Ello | mail -s "Test" you@yourserver"

2-edit /usr/www/cgi-bin/mail_proc.cgi and insert the "tls_starttls off" at around line 56, as in

echo "
tls_trust_file  /etc/ssl/ca-bundle.crt
syslog          on
host    $host
tls             $tls

tls_starttls off
auth    $auth
from    $from
aliases $CONFA" > $CONFF

This hard-codes that directive in the configuration file, you can add or remove a leading '#' to the line to experiment with/without it.

Before doing the above edit, execute the following commands:

aufs.sh -n

mkdir -p /Alt-F/usr/www/cgi-bin/

aufs.sh -r

Let me know if it works.

Cheers!

sm

[Stefan Müller]

Solution nr. 2 works great and is persistent across re-boots. Thank you very much! The age of the SSL certificates was no issue in my case.

I have done some reading regarding StartTLS and, to my understanding, it seems necessary to have the option to switch it off. I have yet to test the different combinations with or without TLS/SSL activated. I shall get back with results but not before a week.

Cheers!

sm

[Stefan Müller]

I did the tests plus some more digging. I turned TLS and StartTLS on or off in combination with the available ports. As far as I can tell, it is mandatory to have TLS on for Msmpt to work with password authentication. Otherwise it would complain about "cannot use a secure authentication method". Having TLS on, it seems mandatory to control StartTLS according to the settings of the mail server. This is summarized in an entry on the Msmtp mailing list: https://marlam.de/msmtp/old-mailinglist/msg00939.html

Thus it is necessary to modify '/etc/msmtprc' according to João's recipe above. As this possibly affects anybody using e-mail, I would suggest to have a respective tick-box added to Alt-F.

Cheers!

sm

[João Cardoso]

On Monday, February 15, 2021 at 3:27:52 PM UTC Stefan Müller wrote:

I did the tests plus some more digging. I turned TLS and StartTLS on or off in combination with the available ports. As far as I can tell, it is mandatory to have TLS on for Msmpt to work with password authentication. Otherwise it would complain about "cannot use a secure authentication method". Having TLS on, it seems mandatory to control StartTLS according to the settings of the mail server. This is summarized in an entry on the Msmtp mailing list: https://marlam.de/msmtp/old-mailinglist/msg00939.html

Thus it is necessary to modify '/etc/msmtprc' according to João's recipe above. As this possibly affects anybody using e-mail, I would suggest to have a respective tick-box added to Alt-F.

Thanks for digging it out. I have added a startTLS checkbox aside the TLS one, so you can explicitly disable startTLS.

By default startTLS is enabled in msmtp (even when not set) and its setting only applies when TLS is enabled.

Thanks

[Stefan Müller]

Thanks for considering my request! Is my understanding correct that you have it added in your pre-release but it is not published yet?

Sorry for this late response! Somehow the postings do not get notified about this forum anymore.

[João Cardoso]

On Saturday, April 3, 2021 at 9:44:35 AM UTC+1 Stefan Müller wrote:

Thanks for considering my request! Is my understanding correct that you have it added in your pre-release but it is not published yet?

Yes. But I'm not sure if a proper new release will ever be made. I'm however consider doing at most a snapshot release at its current state.

Sorry for this late response! Somehow the postings do not get notified about this forum anymore.

Might be, Google has demoted Google Groups from a newsgroup into a public mailing list. You might have to subscribe.

[Jérémy Hauray]

Hello,

First of all, congratulations to alt-f Team and thank you for your work. You have given my DNS-323 a second life. And it is always working today. Even if I know we reached some NAS technical limites (flash memory, cpu), incompatible with modern cifer.

After changing of email server, I encountered similar issue to Stefan : E-mail send error. It seems that STARTTLS has to be disable.

I am interested by the UI fix described in previous messages. Can you tell me where I can find the fix ?

Thank you by advance.

Best regards,

Jérémy