emailsslsmtptelnetstarttls

Must issue a STARTTLS command first but TLS no enabled on remote server

I have an issue with delivery of email to one particular email provider. My mail system keeps reveiveing: #5.0.0 smtp; 5.1.0 - Unknown address error 530-'#5.7.0 Must issue a STARTTLS command first' (delivery attempts: 0)> #SMTP#

When I tried connecting via telnet to the first MX record, i get:

Connected to 46.255.225.8
Escape character is '^]'.
220 ***************************
EHLO testme
250-xxx.xxx.xx
250-8BITMIME
250-SIZE 52428800
250 XXXXXXXA
MAIL FROM "test@testnet.net"
530 #5.7.0 Must issue a STARTTLS command first
STARTTLS
500 #5.5.1 command not recognized

But when I try openssl s_client -starttls smtp -ign_eof -crlf -connect 46.255.225.8:587

I get timeout (or it waits infinitely without connection) and if I try on port 25, it fails as there "Secure Renegotiation IS NOT supported".

However, when I tried MXtoolbox test smtp server online, it works from their part: Connecting to 46.255.225.8

220 antispam111.centrum.cz ESMTP [270 ms]
EHLO keeper-us-east-1d.mxtoolbox.com
250-antispam111.centrum.cz
250-8BITMIME
250-SIZE 52428800
250 STARTTLS [222 ms]
MAIL FROM:<supertool@mxtoolboxsmtpdiag.com>
250 sender <supertool@mxtoolboxsmtpdiag.com> ok [260 ms]
RCPT TO:<test@mxtoolboxsmtpdiag.com>
550 #5.1.0 Address rejected. [220 ms]

Finally, if instead of the MX ip above, I use smtp.centrum.cz, everything works fine from telnet from my machine. What am i doing wrong and any tip how to fix it?

Solution 
  • 250 XXXXXXXA

    This line indicates that some man in the middle in the path to the mail server tries to disable TLS by "removing" the indication that STARTTLS is supported from the servers response to EHLO. This is for example known behavior with Cisco ASA. This is done in order to make the client use plain TCP (no encryption) in order to analyze any submitted mail by the security gateway.

    Since the server does not allow any submission without TLS this basically makes this server unusable when accessed from behind such a security gateway. There is nothing you can do about this in your code. Check with your network administrators if this is the intended behavior.

    However, when I tried MXtoolbox test smtp server online, it works from their part: Connecting to 46.255.225.8

       ...
   250 STARTTLS [222 ms]

    This is because this external system is not behind the filtering security gateway as you are.