r0nmlt Posted October 13, 2019 Posted October 13, 2019 I had a problem my mail servers and thought this was solved but apparantly isn't. I have a static IP, but using the static IP or tommy.heliohost.org as mail server still give the same results. Anybody is using heliohost with pop/smtp settings? I can retreive mail on POP port 110 (unencrypted)Secure incoming mail port 995 is refusing connection outrighteven tried with putty and connection is terminated immediately on the smtp sideport 25 and port 587 are open but are expecting an ssl connection to authenticate. "AUTH PLAIN" is not offered instead this is what is being offered: 220-tommy.heliohost.org ESMTP Exim 4.92 #2 Sun, 13 Oct 2019 09:05:33 +0000220-We do not authorize the use of this system to transport unsolicited,220 and/or bulk e-mail. EHLO RonLaptop 250-tommy.heliohost.org Hello RonLaptop [37.75.41.193]250-SIZE 52428800250-8BITMIME250-PIPELINING250-STARTTLS250 HELP421 tommy.heliohost.org lost input connection Trying via putty to use the AUTH command results in:"503 AUTH command used when not advertised" Using SSL on port 587 leads to: 220-tommy.heliohost.org ESMTP Exim 4.92 #2 Sun, 13 Oct 2019 09:06:42 +0000220-We do not authorize the use of this system to transport unsolicited,220 and/or bulk e-mail. EHLO RonLaptop 250-tommy.heliohost.org Hello RonLaptop [37.75.41.193]250-SIZE 52428800250-8BITMIME250-PIPELINING250-STARTTLS250 HELP STARTTLS 220 TLS go ahead00000000 16 03 01 00 7E 01 00 00 7A 03 01 5D A2 E9 24 57 ....~... z..]..$W00000010 DF A7 48 4A 3D 8E 20 61 10 D6 30 76 69 DF A4 C6 ..HJ=. a ..0vi...00000020 29 E4 E8 F8 4A F8 A1 32 FA 1C A8 00 00 1C C0 14 )...J..2 ........00000030 C0 13 00 39 00 33 00 35 00 2F C0 0A C0 09 00 38 ...9.3.5 ./.....800000040 00 32 00 0A 00 13 00 05 00 04 01 00 00 35 00 00 .2...... .....5..00000050 00 18 00 16 00 00 13 74 6F 6D 6D 79 2E 68 65 6C .......t ommy.hel00000060 69 6F 68 6F 73 74 2E 6F 72 67 00 0A 00 06 00 04 iohost.o rg......00000070 00 17 00 18 00 0B 00 02 01 00 00 17 00 00 FF 01 ........ ........00000080 00 01 00 ... 554 Security failure554 Security failure554 Security failure Trying to SMTP via port 465 which is the ssl port refuses connection outright. The settings being suggested on cpanel are: Any ideas why this is happening?
Flaze Posted October 13, 2019 Posted October 13, 2019 This support request is being escalated to our root admin.
Sn1F3rt Posted October 13, 2019 Posted October 13, 2019 I'm using the Tommy IMAP and SMTP on a remote email client. Works perfectly well for me. Dunno about the POP thing.
wolstech Posted October 13, 2019 Posted October 13, 2019 AUTH PLAIN show now be offered again. The newer cpanel versions turn on the require ssl for smtp option by default (google shows that versions before 71 had this off by default, old tommy had 66...) I don't recommend using it for obvious reasons though. It's a security issue, and to be honest, I'd actually prefer to have the require ssl enabled. I have no idea why STARTTLS doesn't work for you. What are you using for a mail client? 220-tommy.heliohost.org ESMTP Exim 4.92 #2 Sun, 13 Oct 2019 13:10:39 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. EHLO nickcomp 250-tommy.heliohost.org Hello c-69-139-94-22.hsd1.pa.comcast.net [69.139.94.22] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250-HELP
r0nmlt Posted October 14, 2019 Author Posted October 14, 2019 (edited) I am using outlook 2007. even though this is a relic the smtp protocol is way older and shouldn't be an issue. @wolstech Thanks. Through your intervention now SMTP AUTH plain works on port 587 and mail is being sent this way. As you have pointed out this is not the ideal solution but at least for me mail is now being sent out. SSL is still not working. Port 465 is still refusing connection from my end on 2 different PCs at two different locations. Please anybody can sniff at their end if tommy is accepting connections to port 465. Edited October 14, 2019 by r0nmlt
wolstech Posted October 14, 2019 Posted October 14, 2019 If you're using outlook, others have reported getting things working by selecting "Log onto incoming mail server first". And no, port 465 does not accept connections for me either when I tried. Port 587 should support STARTTLS though. I have no idea why that gives a 554 when you used it in your original post.
r0nmlt Posted October 14, 2019 Author Posted October 14, 2019 @wolstech I had reported that "Log onto incoming mail server first". It only works sporadically. Good to know that 465 doesn't work for others. I will give the 554 Security Failure a search and see what others (outside heliohost) might have said.
r0nmlt Posted October 15, 2019 Author Posted October 15, 2019 (edited) Whilst delving into this issue I realised that if you set your outlook encryption settings to AUTO as per hereunder: Outlook will try using STARTTLS. In my case this will fail as described in post #1, then it will revert to AUTH PLAIN and will send the mail. So whilst you are thinking that your outgoing mail is being sent encrypted, it actually is being sent as plain text. The way to enforce this is to set your encrypted connection to TLS. In my case this will fail to send the emails as I still have an issue with sending using STARTTLS. Edited October 15, 2019 by r0nmlt
wolstech Posted October 15, 2019 Posted October 15, 2019 Try it now. I turned the legacy TLS v1 and TLS v1.1 support back on for exim. Outlook 2007 (actually, anything before Outlook 2016) is too old to support TLS v1.2, which is what all cPanel versions after mid-2018 use by default. As a result, the proper fix here is actually to get a mail client that's not 12 years old. Once we know that this is the issue, please update your mail client and verify mail is sending securely so I can turn these off again. I don't want to leave these options (especially TLS v1.0 and AUTH PLAIN) enabled, they're security risks.
r0nmlt Posted October 16, 2019 Author Posted October 16, 2019 Yes now it works. And it shows it is using TLS v1.0 from the initial handshake of TLS 16 03 01. Ok please turn them back off and I will sort my mail client out or update. Now we know that this started happened after the update because cPanel upped the security measures and turned off by default the old protocols AUTH PLAIN and TLS v1.0. Thanks for your co-operation.
r0nmlt Posted October 16, 2019 Author Posted October 16, 2019 (edited) For anybody who is still using Outlook 2007 on windows 7 or other old mail clients which by default resort to TLS v1.0, there is a way to force Outlook 2007 to use TLS v1.2, I followed this article and got mine to work. https://blogs.technet.microsoft.com/schrimsher/2016/07/08/enabling-tls-1-1-and-1-2-in-outlook-on-windows-7/ Just in case in the future this page is no longer accessible these are the steps to follow: Install KB3140245 from Microsoft update. Create a DWORD value called DefaultSecureProtocols in both of the following locations and set its value to 0xA80 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttpHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp Create the following DWORDS in the locations shown:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\ClientDWORD: Enabled Setting: 0DWORD: DisabledByDefault Setting: 1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\ClientDWORD: Enabled Setting: 1DWORD: DisabledByDefault Setting: 0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\ClientDWORD: Enabled Setting: 1DWORD: DisabledByDefault Setting: 0 Reboot and you are good to go. Sniffing your connection should report 16 03 03 when handshaking TLS. Edited October 16, 2019 by r0nmlt
wolstech Posted October 16, 2019 Posted October 16, 2019 Support for AUTH PLAIN and TLS v1.0/1.1 have been turned back off. Please let me know if you need anything else.
r0nmlt Posted October 17, 2019 Author Posted October 17, 2019 No all is fine. Took me a while to figure it why it wasn't working and before it was. But in the end it got solved and now using a better encryption method. Thanks for all your time guys.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now