[Solved] Mail server settings.

[r0nmlt]

I had a problem my mail servers and thought this was solved but apparantly isn't.

 

I have a static IP, but using the static IP or tommy.heliohost.org as mail server still give the same results.

 

Anybody is using heliohost with pop/smtp settings?

 

I can retreive mail on POP port 110 (unencrypted)
Secure incoming mail port 995 is refusing connection outright
even tried with putty and connection is terminated immediately

 

on the smtp side
port 25 and port 587 are open but are expecting an ssl connection to authenticate. "AUTH PLAIN" is not offered instead this is what is being offered:

 

220-tommy.heliohost.org ESMTP Exim 4.92 #2 Sun, 13 Oct 2019 09:05:33 +0000
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.

 

EHLO RonLaptop

 

250-tommy.heliohost.org Hello RonLaptop [37.75.41.193]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
421 tommy.heliohost.org lost input connection

 

Trying via putty to use the AUTH command results in:

"503 AUTH command used when not advertised"
 

Using SSL on port 587 leads to:

 

220-tommy.heliohost.org ESMTP Exim 4.92 #2 Sun, 13 Oct 2019 09:06:42 +0000
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.

 

EHLO RonLaptop

 

250-tommy.heliohost.org Hello RonLaptop [37.75.41.193]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP

 

STARTTLS

 

220 TLS go ahead

00000000  16 03 01 00 7E 01 00 00  7A 03 01 5D A2 E9 24 57   ....~... z..]..$W
00000010  DF A7 48 4A 3D 8E 20 61  10 D6 30 76 69 DF A4 C6   ..HJ=. a ..0vi...
00000020  29 E4 E8 F8 4A F8 A1 32  FA 1C A8 00 00 1C C0 14   )...J..2 ........
00000030  C0 13 00 39 00 33 00 35  00 2F C0 0A C0 09 00 38   ...9.3.5 ./.....8
00000040  00 32 00 0A 00 13 00 05  00 04 01 00 00 35 00 00   .2...... .....5..
00000050  00 18 00 16 00 00 13 74  6F 6D 6D 79 2E 68 65 6C   .......t ommy.hel
00000060  69 6F 68 6F 73 74 2E 6F  72 67 00 0A 00 06 00 04   iohost.o rg......
00000070  00 17 00 18 00 0B 00 02  01 00 00 17 00 00 FF 01   ........ ........
00000080  00 01 00                                           ...

 

554 Security failure
554 Security failure
554 Security failure

 

 

Trying to SMTP via port 465 which is the ssl port refuses connection outright.

 

The settings being suggested on cpanel are:

 

 

Any ideas why this is happening?

[Flaze]

This support request is being escalated to our root admin.

[Sn1F3rt]

I'm using the Tommy IMAP and SMTP on a remote email client. Works perfectly well for me. Dunno about the POP thing.

[wolstech]

AUTH PLAIN show now be offered again. The newer cpanel versions turn on the require ssl for smtp option by default (google shows that versions before 71 had this off by default, old tommy had 66...)

 

I don't recommend using it for obvious reasons though. It's a security issue, and to be honest, I'd actually prefer to have the require ssl enabled.

 

I have no idea why STARTTLS doesn't work for you. What are you using for a mail client?

 

220-tommy.heliohost.org ESMTP Exim 4.92 #2 Sun, 13 Oct 2019 13:10:39 +0000
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.

EHLO nickcomp
250-tommy.heliohost.org Hello c-69-139-94-22.hsd1.pa.comcast.net [69.139.94.22]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250-HELP

[r0nmlt]

I am using outlook 2007.  even though this is a relic the smtp protocol is way older and shouldn't be an issue.

 

@wolstech Thanks.  Through your intervention now SMTP AUTH plain works on port 587 and mail is being sent this way.  As you have pointed out this is not the ideal solution but at least for me mail is now being sent out.

 

SSL is still not working.  Port 465 is still refusing connection from my end on 2 different PCs at two different locations.  Please anybody can sniff at their end if tommy is accepting connections to port 465.

Edited October 14, 2019 by r0nmlt

[wolstech]

If you're using outlook, others have reported getting things working by selecting "Log onto incoming mail server first".

 

And no, port 465 does not accept connections for me either when I tried. Port 587 should support STARTTLS though. I have no idea why that gives a 554 when you used it in your original post.

[r0nmlt]

@wolstech I had reported that "Log onto incoming mail server first".  It only works sporadically.  Good to know that 465 doesn't work for others.  I will give the 554 Security Failure a search and see what others (outside heliohost) might have said.

[r0nmlt]

Whilst delving into this issue I realised that if you set your outlook encryption settings to AUTO as per hereunder:

 

 

Outlook will try using STARTTLS.  In my case this will fail as described in post #1, then it will revert to AUTH PLAIN and will send the mail.

 

So whilst you are thinking that your outgoing mail is being sent encrypted, it actually is being sent as plain text.

 

The way to enforce this is to set your encrypted connection to TLS.  In my case this will fail to send the emails as I still have an issue with sending using STARTTLS.

Edited October 15, 2019 by r0nmlt

[wolstech]

Try it now. I turned the legacy TLS v1 and TLS v1.1 support back on for exim. Outlook 2007 (actually, anything before Outlook 2016) is too old to support TLS v1.2, which is what all cPanel versions after mid-2018 use by default.

 

As a result, the proper fix here is actually to get a mail client that's not 12 years old.

 

Once we know that this is the issue, please update your mail client and verify mail is sending securely so I can turn these off again. I don't want to leave these options (especially TLS v1.0 and AUTH PLAIN) enabled, they're security risks.

[r0nmlt]

Yes now it works.  And it shows it is using TLS v1.0 from the initial handshake of TLS 16 03 01.  

 

Ok please turn them back off and I will sort my mail client out or update. 

 

Now we know that this started happened after the update because cPanel upped the security measures and turned off by default the old protocols  AUTH PLAIN and TLS v1.0.

 

Thanks for your co-operation.

[r0nmlt]

For anybody who is still using Outlook 2007 on windows 7 or other old mail clients which by default resort to TLS v1.0, there is a way to force Outlook 2007 to use TLS v1.2,

 

I followed this article and got mine to work.

 

https://blogs.technet.microsoft.com/schrimsher/2016/07/08/enabling-tls-1-1-and-1-2-in-outlook-on-windows-7/

 

Just in case in the future this page is no longer accessible these are the steps to follow:

 

Install KB3140245 from Microsoft update.

 

Create a DWORD value called DefaultSecureProtocols in both of the following locations and set its value to 0xA80

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

 

Create the following DWORDS in the locations shown:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

DWORD: Enabled            Setting: 0
DWORD: DisabledByDefault  Setting: 1

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client

DWORD: Enabled            Setting: 1
DWORD: DisabledByDefault  Setting: 0

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client

DWORD: Enabled            Setting: 1
DWORD: DisabledByDefault  Setting: 0

 

Reboot and you are good to go.  Sniffing your connection should report 16 03 03 when handshaking TLS.

Edited October 16, 2019 by r0nmlt

[wolstech]

Support for AUTH PLAIN and TLS v1.0/1.1 have been turned back off. 

 

Please let me know if you need anything else.

[r0nmlt]

No all is fine.  Took me a while to figure it why it wasn't working and before it was.  But in the end it got solved and now using a better encryption method.  Thanks for all your time guys.