starred/mailpit
1
0
Fork 0
mirror of https://github.com/axllent/mailpit.git synced 2026-04-26 16:56:00 +03:00
Code Issues Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #277] SMTP relay "command: unencrypted connection" #183

New issue
Closed
opened 2026-03-15 13:03:55 +03:00 by kerem · 12 comments
kerem commented 2026-03-15 13:03:55 +03:00
Owner
Copy link

Originally created by @koushyk on GitHub (Apr 15, 2024).
Original GitHub issue: https://github.com/axllent/mailpit/issues/277

I'm getting an error on trying to relay, MP_SMTP_RELAY_ALLOW_INSECURE does not help

time="2024/04/15 08:19:55" level=error msg="[smtp] error sending message: error response to AUTH command: unencrypted connection"

vars I'm using

MP_MAX_MESSAGES : 2000
MP_SMTP_RELAY_AUTH : plain
MP_SMTP_RELAY_HOST : postfix-mta.devsvc.svc.cluster.local
MP_SMTP_RELAY_PORT : 25
MP_SMTP_RELAY_PASSWORD : *****
MP_SMTP_RELAY_USERNAME : *****
MP_SMTP_RELAY_ALLOW_INSECURE: true

Originally created by @koushyk on GitHub (Apr 15, 2024). Original GitHub issue: https://github.com/axllent/mailpit/issues/277 I'm getting an error on trying to relay, MP_SMTP_RELAY_ALLOW_INSECURE does not help time="2024/04/15 08:19:55" level=error msg="[smtp] error sending message: error response to AUTH command: unencrypted connection" vars I'm using MP_MAX_MESSAGES : 2000 MP_SMTP_RELAY_AUTH : plain MP_SMTP_RELAY_HOST : postfix-mta.devsvc.svc.cluster.local MP_SMTP_RELAY_PORT : 25 MP_SMTP_RELAY_PASSWORD : ***** MP_SMTP_RELAY_USERNAME : ***** MP_SMTP_RELAY_ALLOW_INSECURE: true
kerem 2026-03-15 13:03:55 +03:00
  • closed this issue
  • added the
    stale
         label
kerem commented 2026-03-15 13:04:11 +03:00
Author
Owner
Copy link

@axllent commented on GitHub (Apr 15, 2024):

Is your postfix running with StartTLS? Sorry for the edit, I see you did set MP_SMTP_RELAY_STARTTLS - but can you verify your SMTP server is using StartTLS?

<!-- gh-comment-id:2056402153 --> @axllent commented on GitHub (Apr 15, 2024): Is your postfix running with StartTLS? Sorry for the edit, I see you did set `MP_SMTP_RELAY_STARTTLS` - but can you verify your SMTP server is using StartTLS?
kerem commented 2026-03-15 13:04:17 +03:00
Author
Owner
Copy link

@koushyk commented on GitHub (Apr 15, 2024):

I've tried multiple combinations, postfix is not using startts

<!-- gh-comment-id:2056948794 --> @koushyk commented on GitHub (Apr 15, 2024): I've tried multiple combinations, postfix is not using startts
kerem commented 2026-03-15 13:04:22 +03:00
Author
Owner
Copy link

@axllent commented on GitHub (Apr 15, 2024):

That is very strange. Are you able to connect to that postfix server with any other SMTP client? The insecure setting you added is for when the TLS certificate cannot be validated, but you say your server isn't using TLS. It looks to me though as if your server is actually using TLS.

Please try connect to it using another SMTP client to verify it is connectable, and then report back?

<!-- gh-comment-id:2057701602 --> @axllent commented on GitHub (Apr 15, 2024): That is very strange. Are you able to connect to that postfix server with any other SMTP client? The insecure setting you added is for when the TLS certificate cannot be validated, but you say your server isn't using TLS. It looks to me though as if your server is actually using TLS. Please try connect to it using another SMTP client to verify it is connectable, and then report back?
kerem commented 2026-03-15 13:04:27 +03:00
Author
Owner
Copy link

@axllent commented on GitHub (Apr 16, 2024):

Actually, I think you're just missing the MP_SMTP_RELAY_STARTTLS: false in your config. Postfix, like all modern SMTPD servers requires StartTLS with authentication enabled, however this can be manually disabled (as you must have done). Mailpit's SMTP relay client will therefore try use StartTLS by default when using authentication... unless you specifically tell it not to.

Please let me know if that solves it for you?

<!-- gh-comment-id:2058182618 --> @axllent commented on GitHub (Apr 16, 2024): Actually, I think you're just missing the `MP_SMTP_RELAY_STARTTLS: false` in your config. Postfix, like all modern SMTPD servers requires StartTLS with authentication enabled, however this can be manually disabled (as you must have done). Mailpit's SMTP relay client will therefore try use StartTLS by default when using authentication... unless you specifically tell it not to. Please let me know if that solves it for you?
kerem commented 2026-03-15 13:04:32 +03:00
Author
Owner
Copy link

@koushyk commented on GitHub (Apr 16, 2024):

we are using maildev as a previous solution and it connects fine, I thought MP_SMTP_RELAY_STARTTLS: false is default.
I will doublecheck everything one more time

<!-- gh-comment-id:2058628067 --> @koushyk commented on GitHub (Apr 16, 2024): we are using maildev as a previous solution and it connects fine, I thought MP_SMTP_RELAY_STARTTLS: false is default. I will doublecheck everything one more time
kerem commented 2026-03-15 13:04:37 +03:00
Author
Owner
Copy link

@axllent commented on GitHub (Apr 16, 2024):

Sorry, you are correct, the default is false. I have just done some testing here and am able to replicate the error [smtp] error sending message: error response to AUTH command: unencrypted connection. This is an error being returned from the server stating that StartTLS is actually required to use authentication (as I previously suggested), so yes, your server is using StartTLS for authenticated connections, most likely with a self-signed/generated certificate when you installed postfix.

MP_SMTP_RELAY_ALLOW_INSECURE: true
MP_SMTP_RELAY_STARTTLS: true

The above config should do what you want (it works for me). I can't speak for maildev, but I assume it possibly just upgrades (and ignores the self-signed? certificate) by default.

<!-- gh-comment-id:2058715557 --> @axllent commented on GitHub (Apr 16, 2024): Sorry, you are correct, the default is false. I have just done some testing here and am able to replicate the error `[smtp] error sending message: error response to AUTH command: unencrypted connection`. This is an error being returned from the server stating that StartTLS is actually required to use authentication (as I previously suggested), so yes, your server is using StartTLS for authenticated connections, most likely with a self-signed/generated certificate when you installed postfix. ``` MP_SMTP_RELAY_ALLOW_INSECURE: true MP_SMTP_RELAY_STARTTLS: true ``` The above config should do what you want (it works for me). I can't speak for maildev, but I assume it possibly just upgrades (and ignores the self-signed? certificate) by default.
kerem commented 2026-03-15 13:04:42 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Apr 24, 2024):

This issue has been marked as stale because it has been open for 7 days with no activity.

<!-- gh-comment-id:2073837504 --> @github-actions[bot] commented on GitHub (Apr 24, 2024): This issue has been marked as stale because it has been open for 7 days with no activity.
kerem commented 2026-03-15 13:04:47 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Apr 28, 2024):

This issue was closed because there has been no activity since being marked as stale.

<!-- gh-comment-id:2081285578 --> @github-actions[bot] commented on GitHub (Apr 28, 2024): This issue was closed because there has been no activity since being marked as stale.
kerem commented 2026-03-15 13:04:52 +03:00
Author
Owner
Copy link

@koushyk commented on GitHub (May 8, 2024):

when I've added
MP_SMTP_RELAY_ALLOW_INSECURE: true
MP_SMTP_RELAY_STARTTLS: true
I've got
time="2024/05/08 13:35:55" level=error msg="[smtp] error relaying message: error creating StartTLS config: 502 5.5.1 Error: command not implemented"

maybe its related with https://pkg.go.dev/net/smtp#PlainAuth

<!-- gh-comment-id:2100603412 --> @koushyk commented on GitHub (May 8, 2024): when I've added MP_SMTP_RELAY_ALLOW_INSECURE: true MP_SMTP_RELAY_STARTTLS: true I've got time="2024/05/08 13:35:55" level=error msg="[smtp] error relaying message: error creating StartTLS config: 502 5.5.1 Error: command not implemented" maybe its related with https://pkg.go.dev/net/smtp#PlainAuth
kerem commented 2026-03-15 13:04:57 +03:00
Author
Owner
Copy link

@axllent commented on GitHub (May 9, 2024):

Can you please telnet postfix-mta.devsvc.svc.cluster.local 25 and then type EHLO and paste the response?

I really cannot tell why or where this is failing in your setup, but I have not encountered this issue anywhere before. It would be ideal if you could provide me with a docker script to start my own postfix server which also fails in the same way so that I can further debug the issue and find the cause and/or a fix.

<!-- gh-comment-id:2101920897 --> @axllent commented on GitHub (May 9, 2024): Can you please `telnet postfix-mta.devsvc.svc.cluster.local 25` and then type `EHLO` and paste the response? I really cannot tell why or where this is failing in your setup, but I have not encountered this issue anywhere before. It would be ideal if you could provide me with a docker script to start my own postfix server which also fails in the same way so that I can further debug the issue and find the cause and/or a fix.
kerem commented 2026-03-15 13:05:02 +03:00
Author
Owner
Copy link

@koushyk commented on GitHub (May 9, 2024):

250-PIPELINING 250-SIZE 20480000 250-VRFY 250-ETRN 250-AUTH PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING

I will try to reconfigure postfix

<!-- gh-comment-id:2102255498 --> @koushyk commented on GitHub (May 9, 2024): `250-PIPELINING 250-SIZE 20480000 250-VRFY 250-ETRN 250-AUTH PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING` I will try to reconfigure postfix
kerem commented 2026-03-15 13:05:07 +03:00
Author
Owner
Copy link

@koushyk commented on GitHub (May 10, 2024):

After adding to postfix config:
smtpd_use_tls = yes smtpd_tls_cert_file = /etc/pki/tls/certs/public.cert smtpd_tls_key_file = /etc/pki/tls/private/private.key smtpd_tls_security_level = may
emails started to work fine, but I'm sure that it should work without tls anyway.
here is my config without tls

compatibility_level = 2
inet_protocols = ipv4
smtputf8_enable = no
maillog_file = /dev/stdout
mydestination =
message_size_limit = 20480000
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,reject_invalid_helo_hostname,permit
mynetworks = 127.0.0.0/8,192.168.0.0/16

myhostname = xxxx.com
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
transport_maps = pcre:/etc/postfix/transport.pcre

smtpd_recipient_restrictions =
  check_recipient_access pcre:/etc/postfix/recipient_domains
  reject_unauth_destination
  reject_non_fqdn_recipient
  reject_unknown_recipient_domain
  reject_unverified_recipient
  reject_invalid_hostname
  permit_sasl_authenticated

smtpd_sender_restrictions =
  reject_unknown_sender_domain
  reject_sender_login_mismatch
  reject_non_fqdn_sender

smtpd_sasl_auth_enable = yes
smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre
<!-- gh-comment-id:2104142731 --> @koushyk commented on GitHub (May 10, 2024): After adding to postfix config: `smtpd_use_tls = yes smtpd_tls_cert_file = /etc/pki/tls/certs/public.cert smtpd_tls_key_file = /etc/pki/tls/private/private.key smtpd_tls_security_level = may` emails started to work fine, but I'm sure that it should work without tls anyway. here is my config without tls ``` compatibility_level = 2 inet_protocols = ipv4 smtputf8_enable = no maillog_file = /dev/stdout mydestination = message_size_limit = 20480000 smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks,reject_invalid_helo_hostname,permit mynetworks = 127.0.0.0/8,192.168.0.0/16 myhostname = xxxx.com smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) transport_maps = pcre:/etc/postfix/transport.pcre smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/recipient_domains reject_unauth_destination reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unverified_recipient reject_invalid_hostname permit_sasl_authenticated smtpd_sender_restrictions = reject_unknown_sender_domain reject_sender_login_mismatch reject_non_fqdn_sender smtpd_sasl_auth_enable = yes smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
master
v1.29.7
v1.29.6
v1.29.5
v1.29.4
v1.29.3
v1.29.2
v1.29.1
v1.29.0
v1.28.4
v1.28.3
v1.28.2
v1.28.1
v1.28.0
v1.27.11
v1.27.10
v1.27.9
v1.27.8
v1.27.7
v1.27.6
v1.27.5
v1.27.4
v1.27.3
v1.27.2
v1.27.1
v1.27.0
v1.26.2
v1.26.1
v1.26.0
v1.25.1
v1.25.0
v1.24.2
v1.24.1
v1.24.0
v1.23.2
v1.23.1
v1.23.0
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.21.1
v1.21.0
v1.20.7
v1.20.6
v1.20.5
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.18.7
v1.18.6
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.1
v1.17.0
v1.16.0
v1.15.1
v1.15.0
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.1
v1.12.0
v1.11.1
v1.11.0
v1.10.4
v1.10.3
v1.10.2
v1.10.1
v1.10.0
v1.9.10
v1.9.9
v1.9.8
v1.9.7
v1.9.6
v1.9.5
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.7.1
v1.7.0
v1.6.22
v1.6.21
v1.6.20
v1.6.19
v1.6.18
v1.6.17
v1.6.16
v1.6.15
v1.6.14
v1.6.13
v1.6.12
v1.6.11
v1.6.10
v1.6.9
v1.6.8
v1.6.7
v1.6.6
v1.6.5
v1.6.4
v1.6.3
v1.6.2
v1.6.1
v1.6.0
v1.5.5
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.0
v1.3.11
v1.3.10
v1.3.9
v1.3.8
v1.3.7
v1.3.6
v1.3.5
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.9
v1.2.8
v1.2.7
v1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.7
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.0
1.0.0-beta1
0.1.5
0.1.4
0.1.3
0.1.2
0.1.1
0.1.0
0.0.9
0.0.8
0.0.7
0.0.6
0.0.5
0.0.4
0.0.3
0.0.2
0.0.1-beta
Labels
Clear labels   
awaiting feedback

   
bug

   
docker

   
documentation

   
enhancement

   
github_actions

   
invalid

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
wontfix
No labels
awaiting feedback
bug
docker
documentation
enhancement
github_actions
invalid
pull-request
question
stale
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/mailpit#183
No description provided.