SMTP Connection is not TLS encrypted. Recipient organization requires TLS

Question

My outbound SMTP service is getting back the following error trying to delivery an email to a specific recipient.

Response: 454 4.7.0 Connection is not TLS encrypted. Recipient organization requires TLS

I tried using Rebex.Net.SslMod.Explicit when calling the Connect, but that didn't work. I also had issues connecting to other servers. How should I be handling my connections in order to support servers that require TLS and those that don't?

Answer 1

I assume that the error response is part of a non-delivery notification email you are getting from your outbound SMTP service.

If that's the case, it means that the recipient's server is configured to only allow email submission over TLS-encrypted connections, but your outbound server is trying to submit it over an unencrypted connection.

Even though you are able to submit email for delivery to your outbound server using TLS, this does not affect the subsequent communication between the two SMTP servers that occurs independently of this. That process is outside SMTP client's control.

To fix the problem, you would either have to configure your outbound SMTP server to use TLS when possible, or convince the recipient's server maintainers to relax their security requirements.

Comments

No, I'm not getting an error response from my outbound SMTP service. My service IS my outbound SMTP server. I'm using the Rebex libraries to connect directly to the SMTP servers of the receipients. The error I get is during my connection to the SMTP server that is requiring TLS.

2018-02-06 16:31:51.316 INFO :[13] Response: 454 4.7.0 Connection is not TLS encrypted. Recipient organization requires TLS. [BN3NAM04FT046.eop-NAM04.prod.protection.outlook.com]
2018-02-06 16:31:51.316 INFO :[13] Command: RSET
2018-02-06 16:31:51.348 INFO :[13] Response: 250 2.0.0 Resetting
2018-02-06 16:31:51.348 ERROR :[13] Info: Rebex.Net.SmtpException: One or more recipients rejected. Call SmtpException.GetRejectedRecipients() to get a collection of rejected email addresses.
at Rebex.Net.Smtp.QAP(Boolean C, String[] R, EFO O, String I, Int64 D)
at Rebex.Net.Smtp.HAP(String C, String[] R, String O, Stream I, TransferEncoding D)
at Rebex.Net.Smtp.XJP(MimeMessage C, Stream R, MailAddress O, MailAddressCollection I)
at Rebex.Net.Smtp.IJP(MailMessage C, MailAddress R, MailAddressCollection O)

So what you refer to configuring my outbound SMTP server to use TLS when possible, is exactly what I'm asking. How should I be configuring and performing the SMTP Connect in order to support TLS.

---

Sorry, this was not clear from the original question. In this scenario, my answer does not apply. Could you please elaborate a bit on "I tried using Rebex.Net.SslMod.Explicit when calling the Connect, but that didn't work"?  Does that mean "It was able to establish an encrypted TLS connection, but this did not resolve the issue", or "It was unable to establish an encrypted TLS connection"?

---

If I try to connect, passing Rebex.Net.SslMode.Explicit for the security parameter in the Connect method of the Rebex.Net.Smtp class, I get a connection error.

A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
    Rebex.Net.SmtpException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. ---> Rebex.Net.ProxySocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 216.32.180.74:587

Their smtp server is not accepting connections on 587. So the error of requiring TLS, seems to occur after it connects on port 25, during the Send method.

I tried to setting the port to 25, _smtp.Connect("216.32.180.74", 25, Rebex.Net.SslMode.Explicit);

But that gave me a different error,
Rebex.Net.TlsException: Server certificate was rejected by the verifier because the certificate's common name 'mail.protection.outlook.com' does not match the hostname '216.32.180.74'.


I did find this post where it looks like I'm not the first to encounter issues sending to an outlook.com hosted email.

https://community.spiceworks.com/topic/1962974-emails-not-being-delivered-due-to-tls

---

SMTP at port 587 is only supposed to be used by SMTP clients to submit email for delivery to outbound SMTP servers. It's not used for communication between SMTP servers, which is why no service is listening at this port at the recipient SMTP server.

When acting as an outbound SMTP service, you have to use port 25. However, you are trying to establish a connection by connecting to an IP address, which prevents certificate validation from working properly - the validator is unable to tell whether the target is using a certificate that matches its host name.

To fix this, specify the host name (obtained from DNS by resolving the target domain's MX record) in the Connect method call instead of the IP address. (Alternatively, if you wish to keep using an IP address for some reason, you can make the validation work by assigning the host name to _smtp.Settings.SslServerName before calling the Connect method.)

---

ok, yes I forgot about 587 only being for SMTP clients.

I tested using SslServerName  and that works. I have to use that because I resolve DNS names and then loop through the resolving servers. I have to use the IP due to possible round robin DNS like in this case.

I made the appropriate change and all is working fine with the exception of one so far.

Rebex.Net.TlsException: Server certificate was rejected by the verifier because the certificate's common name '*.superblock.net' does not match the hostname 'api.pushover.net'. ---> Rebex.Net.TlsException: Server certificate was rejected by the verifier because the certificate's common name '*.superblock.net' does not match the hostname 'api.pushover.net'.

I assume I'll want to catch these and fallback to retrying to connect without TLS?

---

A mismatched common name basically means that the server is presenting a certificate that belongs to a different server than the one you wanted to connect to. If you ruled out a mistake at the client side (the outbound SMTP service in this case), then it either means that the target domains DNS records or mail servers are misconfigured (which is unfortunately quite common), or that someone is trying to perform a man-in-the-middle attack with another site's certificates and tries to trick clients that don't properly validate the certificate to submit email to it (unlikely in this case but possible).

But if you fall back to retrying the connection without TLS, an attacker along the way could easily trick your outgoing SMTP service to not use TLS simply by presenting any mismatched or non-valid certificate.

However, since you were not really interested in using TLS in the first place, and only use it to meet third-party server requirements, this might be an acceptable solution for now. Just be aware that you lose all the benefits of TLS if you do this, and that even though most of your outgoing SMTP sessions would be encrypted, they would not be secure. But then again, it's no worse than not using TLS at all (although it might evoke a false sense of security).