I can't send a message with postfix. Error: "Must issue STARTTLS first"

Question

I am novice with postfix. My goal is to use it with fan/nagios/centreon in order to receive notifications. I have tried many solutions found on this forum or thanks to google, but it didn't resolve my problem.

My server is based on Centos release 5.11 (FAN v2.4 / )

I have always the same problem when I try to send a mail from my server : "Must issue a STARTTLS command first "

My logs :

    ==> /var/log/maillog <==

Mar 16 12:45:16 myserver postfix/cleanup[24666]: 38E4E26ECAB: message-id=<20160316114516.38E4E26ECAB@myserver.localdomain>
Mar 16 12:45:16 myserver postfix/qmgr[24052]: 38E4E26ECAB: from=<nagios@myserver.localdomain>, size=602, nrcpt=1 (queue active)
Mar 16 12:45:16 myserver postfix/smtpd[24317]: connect from myserver[127.0.0.1]
Mar 16 12:45:16 myserver postfix/smtpd[24317]: 3DF4926ECA9: client=myserver[127.0.0.1]
Mar 16 12:45:16 myserver postfix/cleanup[24319]: 3DF4926ECA9: message-id=<20160316114516.3DF4926ECA9@myserver.localdomain>
Mar 16 12:45:16 myserver postfix/qmgr[24052]: 3DF4926ECA9: from=<nagios@localhost.localdomain>, size=1355, nrcpt=1 (queue active)
Mar 16 12:45:16 myserver postfix/smtpd[24317]: disconnect from myserver[127.0.0.1]
Mar 16 12:45:16 myserver postfix/pickup[24051]: 4BA7026ECAD: uid=100 from=<nagios>
Mar 16 12:45:16 myserver postfix/cleanup[24186]: 4BA7026ECAD: message-id=<20160316114516.4BA7026ECAD@myserver.localdomain>
Mar 16 12:45:16 myserver postfix/qmgr[24052]: 4BA7026ECAD: from=<nagios@myserver.localdomain>, size=528, nrcpt=1 (queue active)
Mar 16 12:45:16 myserver postfix/smtp[24335]: F237226ECA3: to=<my.email@outlook.com>, relay=smtp-mail.outlook.com[65.55.176.126]:587, delay=0.54, delays=0.02/0/0.39/0.13, dsn=5.7.0, status=bounced (host smtp-mail.outlook.com[65.55.176.126] said: 530 5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command))
Mar 16 12:45:16 myserver postfix/smtp[24662]: D5B4226EC9F: to=<my.email@outlook.com>, relay=smtp-mail.outlook.com[65.55.176.126]:587, delay=0.65, delays=0.07/0/0.45/0.13, dsn=5.7.0, status=bounced (host smtp-mail.outlook.com[65.55.176.126] said: 530 5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command))
Mar 16 12:45:16 myserver postfix/smtp[24399]: 0377526ECA1: to=<my.email@outlook.com>, relay=smtp-mail.outlook.com[65.55.176.126]:587, delay=0.57, delays=0.04/0/0.39/0.13, dsn=5.7.0, status=bounced (host smtp-mail.outlook.com[65.55.176.126] said: 530 5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command))
Mar 16 12:45:16 myserver postfix/cleanup[24666]: AC06326ECB0: message-id=<20160316114516.AC06326ECB0@myserver.localdomain>
Mar 16 12:45:16 myserver postfix/cleanup[24186]: AC18526ECB1: message-id=<20160316114516.AC18526ECB1@myserver.localdomain>

my main.cf : nano /etc/postfix/main.cf

inet_interfaces = localhost

mydestination = $myhostname, localhost.$mydomain, localhost

unknown_local_recipient_reject_code = 550

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

data_directory = /var/lib/postfix

###Outlok SSL SMTP RELAY
relayhost = [smtp-mail.outlook.com]:587

#authentification
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

#tls
smtp_use_tls = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom
smtp_tls_scert_verifydepth = 5
smtp_tls_key_file=/etc/pki/tls/outlook_relay/server.key
smtp_tls_cert_file=/etc/pki/tls/outlook_relay/server.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_req_ccert = no
smtp_tls_enforce_peername = no

My certificates :

# pwd
/etc/pki/tls/outlook_relay

# ll
total 12
-rw-r--r-- 1 root root  769 mars 16 12:11 server.csr
-rw-r--r-- 1 root root  887 mars 16 12:10 server.key
-rw-r--r-- 1 root root 3269 mars 16 12:12 server.pm

A good practice to post output of the 'postconf -n' and do not post the whole main.cf (including comments). When you post some maillog you should "cut" only related part of the log. For example 'grep 3DF4926ECA9 /var/log/mail.log' — ALex_hha, Mar 16 '16 at 12:58

score 1 · Answer 1 · answered Mar 16 '16 at 12:49

1

Add the following options to the main.cf and restart the postfix

smtp_tls_security_level = secure
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high

answered Mar 16 '16 at 12:49

ALex_hha

7,025
1
23
39

ayelis · Answer 2 · 2016-03-16T13:46:31.927

I add :

...
...
relayhost = [smtp-mail.outlook.com]:587

    #authentification
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

    #tls
    smtp_use_tls = yes
    smtp_sasl_security_options = noanonymous
    smtp_sasl_tls_security_options = noanonymous
    smtp_tls_note_starttls_offer = yes
    tls_random_source = dev:/dev/urandom
    smtp_tls_scert_verifydepth = 5
    smtp_tls_key_file=/etc/pki/tls/outlook_relay/server.key
    smtp_tls_cert_file=/etc/pki/tls/outlook_relay/server.pem
    smtpd_tls_ask_ccert = yes
    smtpd_tls_req_ccert = no
    smtp_tls_enforce_peername = no

    smtp_tls_security_level = secure
    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtp_tls_mandatory_ciphers = high

And restart postfix

the result :

==> /var/log/maillog <==
Mar 16 14:15:45 myserver postfix/qmgr[23272]: 7F27D26ECA1: from=<root@myserver.localdomain>, size=348, nrcpt=1 (queue active)
Mar 16 14:15:45 myserver postfix/tlsmgr[23279]: warning: request to update file /etc/postfix/prng_exch in non-postfix directory /etc/postfix
Mar 16 14:15:45 myserver postfix/tlsmgr[23279]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfix
Mar 16 14:15:45 myserver postfix/smtp[23278]: warning: cannot get certificate from file /etc/pki/tls/outlook_relay/server.pem
Mar 16 14:15:45 myserver postfix/smtp[23278]: warning: TLS library problem: 23278:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/tls/outlook_relay/server.pem','r'):
Mar 16 14:15:45 myserver postfix/smtp[23278]: warning: TLS library problem: 23278:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
Mar 16 14:15:45 myserver postfix/smtp[23278]: warning: TLS library problem: 23278:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:720:
Mar 16 14:15:45 myserver postfix/smtp[23278]: cannot load RSA certificate and key data
Mar 16 14:15:45 myserver postfix/smtp[23278]: warning: unknown smtp_tls_mandatory_protocols value "!SSLv2" in "!SSLv2, !SSLv3"
Mar 16 14:15:45 myserver postfix/smtp[23278]: 7F27D26ECA1: to=<my.email@outlook.com>, relay=smtp-mail.outlook.com[65.55.176.126]:587, delay=0.44, delays=0.03/0.01/0.39/0, dsn=4.7.5, status=deferred (TLS is required, but our TLS engine is unavailable)

It doesn't work

But I found the problem : I rename server.pm in server.pem and now it works ;-)

If you just want to use outlook.com as a relayhost - there is no need to specify any certificate/key. — ALex_hha, Mar 16 '16 at 14:39

I can't send a message with postfix. Error: "Must issue STARTTLS first"

2 Answers2