[SOLVED] Set up Nodemailer to secure email with a STARTLS handshake?

Set up Nodemailer to secure email with a STARTLS handshake?

I need to send e-mail through my remote Postfix/Dovecot SASL service from Node.js on my desktop.

When I send email using Thunderbird, it works and the Postfix server logs show

Anonymous TLS connection established from unknown[dh.cp.ip.ip]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

But not through nodemailer, where the Postfix server logs:

Nov 26 22:02:31 servicelabel postfix/submission/smtpd[27019]: connect from unknown[dh.cp.ip.ip]                                                         
Nov 26 22:02:31 servicelabel postfix/submission/smtpd[27019]: lost connection after CONNECT from unknown[dh.cp.ip.ip]                                   
Nov 26 22:02:31 servicelabel postfix/submission/smtpd[27019]: disconnect from unknown[dh.cp.ip.ip] commands=0/0

These same settings are used for Nodemailer transport and Thunderbird

  let transporter = nodemailer.createTransport(
    {
        host: "mx.example.com",
        port: 587,
        secure: false, // use TLS
        // requireTLS:true,        
        auth: {
            user: "emailuser",
            pass: "password"
        },
        tls: { rejectUnauthorized: false },
        // logger: true,
         debug: true 
    },
    {      
        from: 'myuser@example.com',
    }
);

But Nodemailer won't connect to Dovecot with TLS the same way Thunderbird does ??

when I change secure to true to force TLS a SSL routines:ssl3_get_record:wrong version number error (below); it appears when verifying the transport.

transporter.verify(function(error, success) {
  if (error) {
    console.log(error);
  } else {
    console.log("Server is ready to take our messages");
    return false;
  }
});

Error: 140185182082944:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:
code:"ECONNECTION"
command:"CONN"
function:"ssl3_get_record"
library:"SSL routines"
message:"140185182082944:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n"
reason:"wrong version number"
stack:"Error: 140185182082944:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n"

When I test with this command:

openssl s_client -starttls smtp -connect mx.example.com:587

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mx.example.com
verify return:1
---
Certificate chain
 0 s:CN = mx. ...
...
...

... the SSL/STARTTLS handshake succeeds and certificates

But if I use this command:

openssl s_client -connect mx.example.com:587 -crlf -ign_eof

I get the same error as with Nodemailer

CONNECTED(00000005) 140508975112640:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:

I've tried a number of option configurations and am at a loss...

How do I send secure email through my Dovecot/Postfix server via Nodemailer? Do I need to configure some certs in Nodemailer? Should I use something different to send secure email from node.js? Any help appreciated.

Solution

My unit testing context in Mocha does not have the ciphersuites of Node.js available.

The Nodemailer has no problem initiating TLS handshake from STARTLS when running in a Node.js context.