[GH-ISSUE #890] [BUG] Email through Starttls not working #324

New issue

Closed

opened 2026-02-27 08:16:39 +03:00 by kerem · 3 comments

kerem commented

2026-02-27 08:16:39 +03:00

Owner

Originally created by @zaggash on GitHub (Apr 2, 2024).
Original GitHub issue: https://github.com/lldap/lldap/issues/890

Describe the bug
Using the CLI to test the smtp and working on port 587 STARTTL is not working when it is wokring fine with others applications.

It throws me the following error:

2024-04-02T16:55:34.298682303+00:00  ERROR    🚨 [error]: TLS alert received: AlertMessagePayload {
    level: Fatal,
    description: ProtocolVersion,
} | log.target: "rustls::conn" | log.module_path: "rustls::conn" | log.file: "/__w/lldap/lldap/${GITHUB_WORKSPACE}/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rustls-0.20.8/src/conn.rs" | log.line: 1327
Error: Could not send email: {:#}

Caused by:
    0: Connection error: Connection error: received fatal alert: ProtocolVersion
    1: Connection error: received fatal alert: ProtocolVersion
    2: received fatal alert: ProtocolVersion

smtp_options: MailOptions {
        enable_password_reset: true,
        from: Some(
            Mailbox {
                name: None,
                email: Address {
                    serialized: "ldap@mydomain.tld",
                    at_start: 4,
                },
            },
        ),
        reply_to: Some(
            Mailbox {
                name: None,
                email: Address {
                    serialized: "noreply@mydomain.tld",
                    at_start: 7,
                },
            },
        ),
        server: "smtp.server.tld",
        port: 587,
        user: "userlogin@domain.tld",
        password: ***SECRET***,
        smtp_encryption: StartTls,
        tls_required: None,

To Reproduce
Steps to reproduce the behavior:

docker exec in the lldap container
Setup your credentials and smtp settings for /app/lldap send_test_email
Set the --smtp-encryption to STARTTLS
See error

Expected behavior
The email should be sent.

However, if I use TLS on port 465 it is working fine.

Originally created by @zaggash on GitHub (Apr 2, 2024). Original GitHub issue: https://github.com/lldap/lldap/issues/890 **Describe the bug** Using the CLI to test the smtp and working on port 587 STARTTL is not working when it is wokring fine with others applications. It throws me the following error: ``` 2024-04-02T16:55:34.298682303+00:00 ERROR 🚨 [error]: TLS alert received: AlertMessagePayload { level: Fatal, description: ProtocolVersion, } | log.target: "rustls::conn" | log.module_path: "rustls::conn" | log.file: "/__w/lldap/lldap/${GITHUB_WORKSPACE}/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rustls-0.20.8/src/conn.rs" | log.line: 1327 Error: Could not send email: {:#} Caused by: 0: Connection error: Connection error: received fatal alert: ProtocolVersion 1: Connection error: received fatal alert: ProtocolVersion 2: received fatal alert: ProtocolVersion ``` ``` smtp_options: MailOptions { enable_password_reset: true, from: Some( Mailbox { name: None, email: Address { serialized: "ldap@mydomain.tld", at_start: 4, }, }, ), reply_to: Some( Mailbox { name: None, email: Address { serialized: "noreply@mydomain.tld", at_start: 7, }, }, ), server: "smtp.server.tld", port: 587, user: "userlogin@domain.tld", password: ***SECRET***, smtp_encryption: StartTls, tls_required: None, ``` **To Reproduce** Steps to reproduce the behavior: 1. docker exec in the lldap container 2. Setup your credentials and smtp settings for /app/lldap send_test_email 3. Set the --smtp-encryption to STARTTLS 5. See error **Expected behavior** The email should be sent. However, if I use TLS on port 465 it is working fine.

kerem

2026-02-27 08:16:39 +03:00

closed this issue
added the
bug
label

kerem commented

2026-02-27 08:16:40 +03:00

Author

Owner

@nitnelave commented on GitHub (Apr 2, 2024):

That sounds more like an issue with lettre, the email library we're using. Although out of curiosity, why use starttls when TLS works? It's simply superior.

@nitnelave commented on GitHub (Apr 2, 2024): That sounds more like an issue with lettre, the email library we're using. Although out of curiosity, why use starttls when TLS works? It's simply superior.

kerem commented

2026-02-27 08:16:40 +03:00

Author

Owner

@zaggash commented on GitHub (Apr 2, 2024):

I didn't know how SMTP encryption worked.
I figured I better use TLS after a bit of research.
However, I wanted to report for others.

@zaggash commented on GitHub (Apr 2, 2024): I didn't know how SMTP encryption worked. I figured I better use TLS after a bit of research. However, I wanted to report for others.

kerem commented

2026-02-27 08:16:40 +03:00

Author

Owner

@thielj commented on GitHub (Jun 29, 2024):

@zaggash The formerly deprecated port 465 ('smtps') and implicit TLS has now become the recommended method ('submissions'). I think someone figured out that a man in the middle attacker could simply strip out the starttls command.

See https://www.rfc-editor.org/rfc/rfc8314#section-3.3

@thielj commented on GitHub (Jun 29, 2024): @zaggash The formerly deprecated port 465 ('smtps') and implicit TLS has now become the recommended method ('submissions'). I think someone figured out that a man in the middle attacker could simply strip out the starttls command. See https://www.rfc-editor.org/rfc/rfc8314#section-3.3

kerem referenced this issue

2026-02-27 08:18:26 +03:00

[PR #324] [MERGED] server: implement healthcheck #680