Hallo,
problems with system mails from QNAP-NAS to company administrator:
We have our own mail-server inside company and that's why all system mails (Reports of backups , virusscan, updates ...) go from the servers via our mail-server to system admin+controller.
There are 10 such mails every day - we control/hope all OK,
Our QNAP-NAS backups every night its content to USB-HD (change every day)
ALL OK - since last week ...
10 days ago we tested our mail server security via ssllabs.com and as result we reconfigured our mail-server with TSLv1.2
ALL OK - accept mail from QNAP-Backup (
Under System Basics we configured message with Port 587 and TSL - but testmail said ERROR.
Remember : 10 days ago it was OK!
Which TSL version supported by QNAP ?
How it's possible to change on QNAP message client to TSLv1.2 ?
Thanks for every help !
NO email from QNAP TS-212P
-
rowihei
- New here
- Posts: 6
- Joined: Mon Feb 15, 2021 11:26 pm
NO email from QNAP TS-212P#PS
Hallo,
today I tried to find the reason per TELNET
Login to QNAP-NAS with Putty and then used TELNET to test ....
And this test-mail received ADMIN - why qnap-system-mailer make error ??
today I tried to find the reason per TELNET
Login to QNAP-NAS with Putty and then used TELNET to test ....
Code: Select all
[~] # telnet -l user00 mail.firma.lan 587
220 mail.firma.lan ESMTP Postfix
EHLO mail.firma.lan
250-mail.firma.lan
250-PIPELINING
250-SIZE 50000000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:user00@firma.lan
250 2.1.0 Ok
RCPT TO:admin@firma.lan
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: TEST-mail
Das ist ein Test via Telnet!
.
250 2.0.0 Ok: queued as 841A445873
QUIT
221 2.0.0 Bye
Connection closed by foreign host.-
Mousetick
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: NO email from QNAP TS-212P
But your telnet test doesn't show anything since your session was in clear text all along, you didn't use TLS.
Does the NAS need to authenticate to the mail server? If not then why do you need TLS? It's not like the NAS is sending classified secret information in its emails.
Can the NAS successfully send email without TLS, like it used to do before you reconfigured your mail server?
Anyhow, since you control the mail server, you can troubleshoot the issue on the mail server side. Turn up the log level, and look at its logs while the NAS is sending test mails.
Does the NAS need to authenticate to the mail server? If not then why do you need TLS? It's not like the NAS is sending classified secret information in its emails.
Can the NAS successfully send email without TLS, like it used to do before you reconfigured your mail server?
Anyhow, since you control the mail server, you can troubleshoot the issue on the mail server side. Turn up the log level, and look at its logs while the NAS is sending test mails.
-
rowihei
- New here
- Posts: 6
- Joined: Mon Feb 15, 2021 11:26 pm
Re: NO email from QNAP TS-212P
Hallo, Mousetick,
part of mail.log (172.20.20.254 is QNAP-NAS)
It's look like TLS-Problem. But what should I do ?
part of mail.log (172.20.20.254 is QNAP-NAS)
Code: Select all
Feb 17 04:19:56 mail-srv postfix/smtpd[12872]: connect from unknown[172.20.20.254]
Feb 17 04:19:56 mail-srv rspamd[2256]: <c0aee9>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Feb 17 04:19:56 mail-srv postfix/smtpd[12872]: SSL_accept error from unknown[172.20.20.254]: -1
Feb 17 04:19:56 mail-srv postfix/smtpd[12872]: warning: TLS library problem: 12872:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1435:
Feb 17 04:19:56 mail-srv postfix/smtpd[12872]: lost connection after STARTTLS from unknown[172.20.20.254]
Feb 17 04:19:56 mail-srv postfix/smtpd[12872]: disconnect from unknown[172.20.20.254]
Feb 17 04:19:56 mail-srv rspamd[2256]: <c0aee9>; milter; rspamd_milter_process_command: got connection from 172.20.20.254:57186
Feb 17 04:19:56 mail-srv rspamd[2256]: <c0aee9>; proxy; proxy_milter_finish_handler: finished milter connection
Feb 17 04:19:56 mail-srv postfix/smtpd[12872]: connect from unknown[172.20.20.254]
Feb 17 04:19:56 mail-srv rspamd[2256]: <9ce430>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0
Feb 17 04:19:56 mail-srv postfix/smtpd[12872]: SSL_accept error from unknown[172.20.20.254]: -1
Feb 17 04:19:56 mail-srv postfix/smtpd[12872]: warning: TLS library problem: 12872:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1435:
Feb 17 04:19:56 mail-srv postfix/smtpd[12872]: lost connection after STARTTLS from unknown[172.20.20.254]
Feb 17 04:19:56 mail-srv postfix/smtpd[12872]: disconnect from unknown[172.20.20.254]
Feb 17 04:19:56 mail-srv rspamd[2256]: <9ce430>; milter; rspamd_milter_process_command: got connection from 172.20.20.254:57187
Feb 17 04:19:56 mail-srv rspamd[2256]: <9ce430>; proxy; proxy_milter_finish_handler: finished milter connection
Feb 17 04:20:03 mail-srv clamd[1382]: SelfCheck: Database modification detected. Forcing reload.-
Mousetick
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: NO email from QNAP TS-212P
- You can turn up the log level even more in postfix to display openssl TLS negotiation messages, and troubleshoot from there.
- What is the firmware running on the NAS? In the 4.4.x and 4.5.x versions with the separate Notification Center app, there is a 'Secure connection' setting in the SMTP server configuration which is either 'None', 'SSL' or 'TLS'. It needs to be set to TLS of course. If the firmware is too old it may not have that option and is only using SSL, which won't work, or it doesn't support TLS 1.2.
- Don't use TLS from the NAS. Again, why do you need to encrypt NAS emails on your internal network? Just send NAS emails in clear text.
-
rowihei
- New here
- Posts: 6
- Joined: Mon Feb 15, 2021 11:26 pm
Re: NO email from QNAP TS-212P
Please, where I can found:
which version of TSL is supported by
QNAP TS-212P (QTS 4.3.3.1432)
Thanks for an answer !
which version of TSL is supported by
QNAP TS-212P (QTS 4.3.3.1432)
Thanks for an answer !
-
Mousetick
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
-
rowihei
- New here
- Posts: 6
- Joined: Mon Feb 15, 2021 11:26 pm
Re: NO email from QNAP TS-212P
Yesterday per ssh on NAS:
Looks like TLSv1.2 is there, but why the Problems ?
openssl ciphers -v |grep TLS
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
DH-RSA-AES256-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA256
DH-DSS-AES256-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
DH-RSA-AES128-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(128) Mac=SHA256
DH-DSS-AES128-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
-
rowihei
- New here
- Posts: 6
- Joined: Mon Feb 15, 2021 11:26 pm
Re: NO email from QNAP TS-212P
Found a solution for my problem:
* on mail server allow mails from local network (172.20.20.0/24)
* on mail server create an user only allow mails in local network
* on QNAP configure smtp for notification
... and of course you need special user with low rights.
* on mail server allow mails from local network (172.20.20.0/24)
* on mail server create an user only allow mails in local network
* on QNAP configure smtp for notification
The trick was empty Username & Password. WITH correct username/password, there was an error "... Disconnected after AUTH..."e-mail-account custom
SMTP server 192.168.2.2
Port number 587
E-mail userxy@firma.lan
Username <empty !>
Password <empty !>
Secure connection None
.....
E-Mail address1 : admin@firma.lan
E-Mail address2 ; IT-man@firma.lan
... and of course you need special user with low rights.