cancel
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
View your usage, get billing support and much more with the My Optus app, download it here
Highlighted
New Contributor
New Contributor

Where can I test sending email to an Optus server

I am not certain where I can test a mail server, as currently as of around 3 days ago our customers trying to send to their customers (who seem to be at this stage foolish enough to use their Optusnet email address to receive monthly financial statements) are not being delivered.

**This issue is affecting outgoing emails ONLY to Optus email addresses and only in the last few days.**

Here is an example from one of our mail servers:
Oct 1 19:45:31 earth sendmail[603354]: 08SEor3R211239: to=<hidden>, ctladdr=<hidden> (1003/1003), delay=2+18:54:31, xdelay=00:00:00, mailer=esmtp, pri=21685910, relay=extmail.optusnet.com.au., dsn=4.0.0, stat=Deferred

The only other message I have seen from Optus' mail server is:
Oct 1 19:45:11 earth sendmail[603354]: ruleset=tls_server, arg1=SOFTWARE, relay=extmail.optusnet.com.au, reject=403 4.7.0 TLS handshake failed.

Which as you can see does not really give a reason other than there is maybe a ruleset which has not affected the sending of emails over the last several months so I guess it is a recent change or a bug?

All of their other recipients with gmail, yahoo, outlook.com, etc, and business domains (not hosted by Optus) are delivered without issue.

Now from the CLI, if I send an email directly from the server sending to Hotmail, which works:

# /usr/sbin/sendmail -i -Am -v -- hidden <<END
Subject: test email subject

test email body
END

hidden... Connecting to hotmail-com.olc.protection.outlook.com. via e smtp...
220 AM5EUR03FT014.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Thu, 1 Oct 2020 08:51:37 +0000
>>> EHLO SENDER_DOMAIN.net.au
250-AM5EUR03FT014.mail.protection.outlook.com Hello [SENDER_IP]
250-SIZE 49283072
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
>>> STARTTLS
220 2.0.0 SMTP server ready
>>> EHLO SENDER_DOMAIN.net.au
250-AM5EUR03FT014.mail.protection.outlook.com Hello [SENDER_IP]
250-SIZE 49283072
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
>>> MAIL From:<root@SENDER_DOMAIN.net.au> SIZE=45
250 2.1.0 Sender OK
>>> RCPT To:<hidden>
>>> DATA
250 2.1.5 Recipient OK
354 Start mail input; end with <CRLF>.<CRLF>
>>> .
250 2.6.0 <*****1.0918pb77599026@SENDER_DOMAIN.net.au> [InternalId=***** 487, Hostname=AM5EUR03HT047.eop-EUR03.prod.protection.outlook.com] 6903 bytes in 0.326, 20.660 KB/sec Queued mail for delivery -> 250 2.1.5
hidden... Sent (<*****1.0918pb77599026@SENDER_DOMAIN.net.au> [Inter nalId=*****487, Hostname=AM5EUR03HT047.eop-EUR03.prod.protection.outlook.c om] 6903 bytes in 0.326, 20.660 KB/sec Queued mail for delivery -> 250 2.1.5)
Closing connection to hotmail-com.olc.protection.outlook.com.
>>> QUIT
221 2.0.0 Service closing transmission channel

...And the email is received

Now if I try the same with Optus:

# /usr/sbin/sendmail -i -Am -v -- hidden <<END
Subject: test email subject

test email body
END

hidden... Connecting to extmail.optusnet.com.au. via es mtp...
220 mail108.syd.optusnet.com.au ESMTP Postfix
>>> EHLO SENDER_DOMAIN.net.au
250-mail108.syd.optusnet.com.au
250-PIPELINING
250-SIZE 52428800
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
>>> STARTTLS
220 2.0.0 Ready to start TLS
hidden... Deferred: 403 4.7.0 TLS handshake failed.
Closing connection to extmail.optusnet.com.au.

 

 

I can show further examples, but I think this shows that BOTH Outlook.com and Optus are using TLS, only Optus has a problem and fails the handshake where other mail providers just work.

*Email addresses, server names, domains and IP addresses of our network have been altered for the post.

So can someone please confirm the issue at the mail server of Optus or provide a way that we can test against Optus' mail servers and report the issue officially.

Tags (3)
0 Kudos
Reply
3 Replies
Highlighted
Moderator
Moderator

Re: Where can I test sending email to an Optus server

Hi @anon01, apologies for any inconvenience this may have caused. 

We have an online guide that can assist with your webmail issues. Please click here   to view our online assistance. If the issue still continues then you are best to speak with our Technical Support team via the messaging service to assist you further.

0 Kudos
Reply
Highlighted
New Contributor
New Contributor

Re: Where can I test sending email to an Optus server

Thank you for the prompt reply....

Actually, I just found the problem, it is that Optus only supports older TLS versions which are, well, not exactly secure....

When we upgraded our security on our mail servers we removed TLS 1.0 and 1.1 support and updated to support only TLS 1.2 and TLS 1.3 for security reasons, like the majority of mail servers globally.

For now we have allowed the legacy TLS 1.0 and 1.1 to be used along side TLS 1.2 and 1.3 on one of our mail servers until Optus updates their mail server security.

It seems Optus has not got the memo on the exploits and security issues in TLS 1.0 and 1.1 yet, this explains why the TLS handshake was failing in the log with no real explanation as the older TLS version could not complete the handshake with the later TLS versions our MTA was trying to force it to use.


I only happened to stumble on the solution from a hit on the string in a forum post for COMCAST in the US (the post was from 2015!).

So the solution is to either disable TLS (no encryption) or allow lower legacy encryption levels to be used (again not really secure).

To confirm what TLS is supported on a corporate mail server (ie outside Optus) in CentOS/RedHat/etc:

#> openssl s_client -connect 5210r.smd.net:25 -starttls smtp -tls1

#> openssl s_client -connect 5210r.smd.net:25 -starttls smtp -tls1_1

#> openssl s_client -connect 5210r.smd.net:25 -starttls smtp -tls1_2

#> openssl s_client -connect 5210r.smd.net:25 -starttls smtp -tls1_3

The ones not supported will give an error.

The stock Sendmail on CentOS 8 no longer supports anything but TLSv1.2 and TLSv1.3 out of the box and the usual Sendmail mechanisms don't allow us to enable it.

The Sendmail %changelog doesn't show any indication as of why this might be the case.

However, there is a CentOS bugticket that holds the answers:

https://bugs.centos.org/view.php?id=16484

So here is the fix/work-around:

#> update-crypto-policies --set LEGACY
#> systemctl restart sendmail

The "update-crypto-policies" recommends a reboot, but I leave that up to
you. The Sendmail restart fixed the issue for me and TLSv1.0 and TLSv1.1
started to work.

If you ever need or want to go back, you can run this:

#> update-crypto-policies --set DEFAULT
#> systemctl restart sendmail

 

Hope this helps anyone else who stumbles on this.

Highlighted
Moderator
Moderator

Re: Where can I test sending email to an Optus server

Thanks for the update and the details @anon01. Yes, I am sure the info you have shared  will fellow Optus customers with similar issues. 

0 Kudos
Reply