Cannot Connect To Mail Server With Port 587

Hello, I have managed to get a score of 10/10 on my mail server.

But why can’t I connext to mail server with port 587 ? even though my server has opened the port…

ERROR: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond hidenmyip:587

bunga@mylinux:~$ nmap hidenmymailserver
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-26 06:32 WIB
Nmap scan report for hidenmyip
Host is up (0.024s latency).
Not shown: 984 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp filtered smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
1723/tcp open pptp
5678/tcp filtered rrac
8090/tcp open opsmessaging

Nmap done: 1 IP address (1 host up) scanned in 4.62 seconds
bunga@mylinux:~$

Please help me how to fix it…

Thank you

check using

openssl s_client -starttls smtp -showcerts -connect mail.example.com:587 -servername mail.example.com

Should get a 250 dsn answer or somesuch.

1 Like

250 CHUNKING

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 9DC71627AF7AAEE3D7107B95CA19118C824A838E1767831998B45CBD80325EB4
Session-ID-ctx:
Resumption PSK: DFAF6A6ECA3B62806B8F89B9FB2335DF5C80062621DF28C4046EFDEF9514300829CF6D0E6BB4F231A21B54A96AC08A68
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - f3 95 29 fd f8 74 8f 74-d9 b4 73 3e ec ab d9 ba …)…t.t…s>…
0010 - 4e 13 04 f7 06 f0 73 59-d8 95 cf e9 5c 6b 87 dd N…sY…\k…
0020 - 6e 05 13 07 1f 0f c8 52-ca 0c 45 e6 30 34 3e 95 n…R…E.04>.
0030 - bf bd 7f 7e 28 27 dc d0-1e b9 45 76 d7 d2 1f 98 …~('…Ev…
0040 - f4 06 52 14 fc b1 91 c6-03 85 df 80 b8 95 2c ef …R…,.
0050 - 16 47 16 69 78 87 c5 90-2f 6c c3 7e c4 d0 60 0c .G.ix…/l.~…`.
0060 - 7c 04 10 8c a2 8c 8b cf-4c 02 e6 aa 2e 19 1c cc |…L…
0070 - c5 43 5f 37 b3 14 96 e6-ab c8 6b e1 41 b0 c0 81 .C_7…k.A…
0080 - c0 1f c5 4f e6 33 b9 0f-cb fb e9 e2 eb b1 5c 43 …O.3…\C
0090 - 45 36 b7 f4 3c 15 d2 c2-d1 5b 64 93 f9 18 bc 59 E6…<…[d…Y
00a0 - d4 c5 f1 93 b6 25 0d dd-38 dd 53 7f 05 6e f7 a6 …%…8.S…n…
00b0 - a0 10 71 13 fc 71 51 8f-40 11 6f 1b f4 bb e3 25 …q…qQ.@.o…%
00c0 - 59 90 d7 e2 d6 da 71 bb-9d 90 7a 09 e2 e6 55 45 Y…q…z…UE
00d0 - 89 92 be 9b 17 70 c3 73-b8 aa 4c 57 4b 2d dd 74 …p.s…LWK-.t

Start Time: 1658797128
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

read R BLOCK

In cert pem i got 3 type with -BEGIN CERTIFICATE - END CERTIFICATE
like this:

-----BEGIN CERTIFICATE-----

code

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

code

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

code

-----END CERTIFICATE-----

Is it really like that ?

you literally sent nothing interesting, the part that matters is something like :

Server certificate
subject=/CN=myhiddenserver
issuer=/C=US/O=Let's Encrypt/CN=R3

The server isn’t timing out because of connectivity issue, it’s because of certificate handshake issues. So you have to make sure the certificate is actually valid. I can already almost tell you need to reissue them in cyberpanel UI.

this ?

Server certificate
subject=CN = myhiddenserver

issuer=C = US, O = Let’s Encrypt, CN = R3


No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits

SSL handshake has read 4435 bytes and written 424 bytes
Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

250 CHUNKING

I can’t guess, is it valid? I don’t know your server domain and what the certificate claim it is protecting. So if it’s valid, maybe the email program don’t support TLS 1.3.

Not sure what’s the point of all the secrecy, is it a NSA mail server or something? It’s simple, the command show the certificate, and you, and only you, know if the domain you used to connect is the one that match the certificate the server put out. If it doesn’t, then stuff like outlook ain’t going to connect to it, if there’s protocol mismatch ( TLS 1.1 to TLS 1.3 ) then timeout and stuff.