TLS issues / multiple smptd's?

[amb1545]

I've got a client that's running ZCS 5.0.2 NE and they recently requested that users be able to send mail through the Zimbra server when they are not on the LAN.

Basically, I'm trying to get Zimbra to allow TLS connections so that they can AUTH and then send mail that way.

TLS seems to be configured correctly, but I am unable to use TLS when I am not connected to their LAN.

Further investigation has confused me even more. When connected to their lan, telneting to port 25 yields the following results.

Code:

[admin@mail ~]$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.xxxx.net ESMTP Postfix
ehlo test
250-mail.xxxx.net
250-PIPELINING
250-SIZE 102400000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

However, if I try the same test from outside the LAN, I get these results.

Code:

sorrow:~ amb1545$ telnet mail.xxxx.net 25
Trying xx.xx.xx.xx...
Connected to mail.powderhouse.net.
Escape character is '^]'.
220 **********************************
ehlo test
250-mail.xxxx.net
250-PIPELINING
250-SIZE 102400000
250-VRFY
250-ETRN
250-XXXXXXXA
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Can anybody provide me with some insight here? What do I need to do to accept TLS connections from outside their LAN?

[phoenix]

In that second example, is that the correct server name? Is this a single server installation? I assume that mail delivery is working OK? Have you checked that the mynetworks setting is correct.

[Bill Brock]

Do not set your mail client to use encrypted password. If you set it to use TLS/SSL the password will be encrypted. I know when OE and outlook are set to use encrypted password the AUTH command is not recognized.

Use SSL without checking the "use encrypted password" box. Because the SSL connection is encrypted the password will be encrypted.

[amb1545]

Do not set your mail client to use encrypted password. If you set it to use TLS/SSL the password will be encrypted. I know when OE and outlook are set to use encrypted password the AUTH command is not recognized.

Use SSL without checking the "use encrypted password" box. Because the SSL connection is encrypted the password will be encrypted.

This actually turned out to be the easiest solution. Since SSL was already set up with my commercial certificate, I just needed to open up 465 on the firewall. Seems to be working fine now.

Thanks!

[CazaHenha]

I ran into a similar issue recently that when on the same subnet the box offered the STARTTLS command but when running from other subnets the STARTTLS was not offered. After losing a nights sleep on this the solution was that our Cisco routers had "application security" for esmtp, which by the looks of things works similar to a transparent proxy and does not support TLS. Once this was turned off the TLS started appearing again from the other subnets. So if people encounter this problem and TLS is offered via "telnet localhost 25" check any firewall/antivirus along the way as they may be causing the issue... I just wish I twigged this possibility hours earlier than I did