Set up Nodemailer to secure email with a STARTLS handshake?

Question

I need to send e-mail through my remote Postfix/Dovecot SASL service from Node.js on my desktop.

When I send email using Thunderbird, it works and the Postfix server logs show

Anonymous TLS connection established from unknown[dh.cp.ip.ip]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

But not through nodemailer, where the Postfix server logs:

Nov 26 22:02:31 servicelabel postfix/submission/smtpd[27019]: connect from unknown[dh.cp.ip.ip]                                                         
Nov 26 22:02:31 servicelabel postfix/submission/smtpd[27019]: lost connection after CONNECT from unknown[dh.cp.ip.ip]                                   
Nov 26 22:02:31 servicelabel postfix/submission/smtpd[27019]: disconnect from unknown[dh.cp.ip.ip] commands=0/0

These same settings are used for Nodemailer transport and Thunderbird

  let transporter = nodemailer.createTransport(
    {
        host: "mx.example.com",
        port: 587,
        secure: false, // use TLS
        // requireTLS:true,        
        auth: {
            user: "emailuser",
            pass: "password"
        },
        tls: { rejectUnauthorized: false },
        // logger: true,
         debug: true 
    },
    {      
        from: 'myuser@example.com',
    }
);

But Nodemailer won't connect to Dovecot with TLS the same way Thunderbird does ??

when I change secure to true to force TLS a SSL routines:ssl3_get_record:wrong version number error (below); it appears when verifying the transport.

transporter.verify(function(error, success) {
  if (error) {
    console.log(error);
  } else {
    console.log("Server is ready to take our messages");
    return false;
  }
});

Error: 140185182082944:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:
code:"ECONNECTION"
command:"CONN"
function:"ssl3_get_record"
library:"SSL routines"
message:"140185182082944:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n"
reason:"wrong version number"
stack:"Error: 140185182082944:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:\n"

When I test with this command:

openssl s_client -starttls smtp -connect mx.example.com:587

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mx.example.com
verify return:1
---
Certificate chain
 0 s:CN = mx. ...
...
...

... the SSL/STARTTLS handshake succeeds and certificates

But if I use this command:

openssl s_client -connect mx.example.com:587 -crlf -ign_eof

I get the same error as with Nodemailer

CONNECTED(00000005) 140508975112640:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:

I've tried a number of option configurations and am at a loss...

How do I send secure email through my Dovecot/Postfix server via Nodemailer? Do I need to configure some certs in Nodemailer? Should I use something different to send secure email from node.js? Any help appreciated.

score 4 · Accepted Answer · answered Nov 27 '19 at 16:30

4

My unit testing context in Mocha does not have the ciphersuites of Node.js available.

The Nodemailer has no problem initiating TLS handshake from STARTLS when running in a Node.js context.

answered Nov 27 '19 at 16:30

Kickaha

3,680
6
38
57

score 3 · Answer 2 · answered May 12 '21 at 00:30

can't add a comment to @Kickaha's response to confirm his observation.

FYI: Some of the node mailer error messages are misleading. When I fat fingered the port number, I got a wrong version error, but now it runs fine from a firebase node.js function:

try {
    const mailFrom = functions.config().mail.from;
    const mailPwd = functions.config().mail.pwd;
    const mailHost = functions.config().mail.host;
    // some code to generate the message    
    const mailOptions = {
        from: mailFrom,
        to: creatorEmail,
        subject: subject,
        html: message
    };
        
    const transporter = nodemailer.createTransport({
        host: mailHost,
        port: 465,
        secure: true, // STARTTLS
        auth: {
            type: 'LOGIN',
            user: mailFrom,
            pass: mailPwd
        }
   });
        
   await transporter.sendMail(mailOptions);
} catch (err) {
    console.error(err);
}

Set up Nodemailer to secure email with a STARTLS handshake?

2 Answers2