Disable STARTTLS on Qmail for outgoing messages

Question

I've a Plesk 10.5 server with QMAIL as MTA.

We are facing issues when sending e-mail to certain domains and I would like to know if you guys know how to disable STARTTLS when sending e-mail through QMAIL.

I took a look on xinetd files and I could not find anything forcing TLS (FORCE_TLS=1).

Logs from TCPDUMP:

TCP>[Y-SRC] [X-SRC] > SMTP SYN TCP>[X-DST] [Y-SRC] > SYN ACK TCP>[Y-SRC] [X-SRC] > ACK

SMTP>[X-DST] [Y-SRC] > 220 mail.domain.tld ESMTP Postfix TCP>[Y-SRC] [X-SRC] > ACK

SMTP>[Y-SRC] [X-DST] > EHLO mail.mydomain.tld TCP>[X-DST] [Y-SRC] > ACK

SMTP>[X-DST] [Y-SRC] > 250 mail.domain.tld 250 PIPELINING 250 SIZE 204800000 250 VRFY 250 ETRN 250 STARTTLS 250 ENHANCEDSTATUSCODES 250 8BITMIME 250 DSN

SMTP>[Y-SRC] [X-DST] > STARTTLS TCP>[X-DST] [Y-SRC] > ACK

SMTP>[X-DST] [Y-SRC] > 220 2.0.0 Ready to start TLS

SMTP>[Y-SRC] [X-DST] > Client Hello TCP>[X-DST] [Y-SRC] > ACK

SMTP>[X-DST] [Y-SRC] > Server Hello, Certificate, Server Hello Done TCP>[Y-SRC] [X-SRC] > ACK

SMTP>[Y-SRC] [X-DST] > Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message TCP>[X-DST] [Y-SRC] > ACK

SMTP>[X-DST] [Y-SRC] > Change Cipher Spec TCP>[Y-SRC] [X-SRC] > ACK

SMTP>[X-DST] [Y-SRC] > Encrypted Handshake Message TCP>[Y-SRC] [X-SRC] > ACK

SMTP>[Y-SRC] [X-DST] > Application Data, Application Data TCP>[X-DST] [Y-SRC] > ACK TCP>[X-DST] [Y-SRC] > FIN ACK

SMTP>[X-DST] [Y-SRC] > Encrypted Alert TCP>[X-DST] [Y-SRC] > RST

Why do you not want STARTTLS? – Falcon Momot Dec 19 '13 at 01:59 — Falcon Momot, Dec 19 '13 at 01:59

score 1 · Answer 1 · answered Dec 18 '13 at 17:04

It depends a bit on how Qmail was configured with TLS/SSL support I think. Check your man qmail-remote for supported debug options and controls.

According to this version you can create a control file notlshosts/<FQDN> to suppress the upgrade to TLS for certain destinations i.e. the host/domain you're trying to debug:

        notlshosts/<FQDN> 
        qmail-remote  will  not  try TLS on servers for which
        this  file  exists  (<FQDN>  is  the  fully-qualified
        domain  name  of  the  server).  (tlshosts/<FQDN>.pem
        takes precedence over this file however).

Disable STARTTLS on Qmail for outgoing messages

1 Answers1