Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SMTP STARTTLS not advertised on port 25

    Scheduled Pinned Locked Moved NAT
    2 Posts 1 Posters 869 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ASM_COPE
      last edited by

      Hi,

      We've got a set of servers in LAN offering public services via NAT using a combination of Virtual IP + 1:1 and Port Forwarding rules.
      I've got a small alias list of email-relevant ports for 25, 993 and 587, using that alias in the Port Forwarding rule to redirect from WAN address to our internal email server.

      Using telnet from an external source (emulating another SMTP server) to port 25 doesn't offer the STARTTLS option, whereas the same test when connected to port 587 does.

      The port 25 session:

      [alec@quietmonster ~]$ telnet zimbra1.copeohs.com 25
      Trying 91.151.8.53...
      Connected to zimbra1.copeohs.com.
      Escape character is '^]'.
      220 zimbra1.copeohs.com ESMTP Postfix
      ehlo PWS3.mxtoolbox.com
      250-zimbra1.copeohs.com
      250-SIZE 47185920
      250-VRFY
      250 DSN
      quit
      221 2.0.0 Bye
      Connection closed by foreign host.
      
      

      The port 587 session:

      [alec@quietmonster ~]$ telnet zimbra1.copeohs.com 587
      Trying 91.151.8.53...
      Connected to zimbra1.copeohs.com.
      Escape character is '^]'.
      220 zimbra1.copeohs.com ESMTP Postfix
      ehlo PWS3.mxtoolbox.com
      250-zimbra1.copeohs.com
      250-PIPELINING
      250-SIZE 47185920
      250-VRFY
      250-ETRN
      250-STARTTLS
      250-ENHANCEDSTATUSCODES
      250-8BITMIME
      250 DSN
      quit
      221 2.0.0 Bye
      Connection closed by foreign host.
      

      If I telnet to our server from a LAN IP to port 25, we see STARTTLS offered:

      220 zimbra1.copeohs.com ESMTP Postfix
      EHLO PWS3.mxtoolbox.com
      250-zimbra1.copeohs.com
      250-PIPELINING
      250-SIZE 47185920
      250-VRFY
      250-ETRN
      250-STARTTLS
      250-ENHANCEDSTATUSCODES
      250-8BITMIME
      250 DSN
      
      

      Could this difference on port 25 be something to do with my pfSense NAT/rules configuration?

      System version updated to 2.4_release last week, but this issue was occurring on the previous 2.3 also.  Add-ons: We have OpenVPN client export, Snort and pfBlockerNG (PFB set to some limited GeoIP country blocking).

      I can provide further details on our particular rules/config if required.

      Thanks for any suggestions.

      1 Reply Last reply Reply Quote 0
      • A
        ASM_COPE
        last edited by

        Finally sorted this problem.

        Just in case anyone else encounters a similar issue, for us it was our Untangle server, which in our config sits behind the pfSense system on the LAN side (Untangle using transparent bridge mode) that we use to add first-round anti-spam and anti-phishing protection.

        The anti-spam lite module has a control option under "Advanced SMTP settings" for enabling/disabling use of TLS, labelled as "Allow and ignore TLS sessions".  Ticking that option corrected the problem - we now see the expected STARTTLS option advertised on port 25 again.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.