Forum OpenACS Q&A: Email SMTP Port 587

Collapse
1: Email SMTP Port 587
Posted by Tyge Cawthon on 03/08/25 03:56 AM 
Error Error: 430: 4.7.0 Must issue a STARTTLS command first

Question: how/who starts STARTTLS?

Background: Using OpenACS to send Emails out only. OpenACS and the real email are two physical servers. pass email message from OpenACS to real email server to UserEmail address Port 587 OpenACS 5-10-1

Naviserver 4.99.31 Naviserver smtpd version 2.3 Installed nssmtpd.so using make command with path to /usr/local/ns/bin Stopped and restart OpenACS services with no errors.

Valided STARTTLS does work using the command:

openssl s_client -starttls smtp -4 -connect smtp.server.no:587 -crlf -ign_eof
EHLO command worked

ACS Mail Service Config

Email
BounceDomain
BounceMailDir 
BounceScanQueue 120
EnvelopePrefix  bounce
FilesystemAttachmentsRoot
FixedFont 
FixedSenderEmai
FolderID 
MaxBounceCount  10
MaxDaysToBounce 2
MaxNotificationCount 4
MMEncodeBin          /usr/bin/mmencode
NotificationInterval 7
NotificationSender 
OriginatorEmail  bounce_address
send_immediately 0

Imap

IMAPHost 
IMAPPassword 
IMAPPort    143
IMAPTimeout 60
IMAPUser

Inbound email

IncomingDomain 
IncomingFilterProcName 
IncomingMailDir 
IncomingMaxAge   604800
IncomingMode     maildir
IncomingScanRate 120

Rollout support

EmailAllow 
EmailDeliveryMode nssmtpd
EmailRedirectTo

Smtp

SMTPHost     smtp.celtic-arts.org
SMTPPassword goodpassword
SMTPPort     587
SMTPTimeout  60
SMTPUser     smtpuserID@celtic-arts.org

/usr/local/ns/config-oacs-5-10-0.tcl file

smtpdport ""

ns_param port $smtpdport
ns_param address 127.0.0.1
ns_param relay localhost: 25

ns_param certificate "$serverroot/etc/certfile.pem"

add user BTyge Cawthon has been added to Celtic-Arts. Edit the message below and hit "Send Email" to notify this user. Send Email

Screen error
Error: 430: 4.7.0 Must issue a STARTTLS command first

Basically, trying to setup OpenACS email as if I was using Thunderbird or some other email application.

/var/ww/ocas-5-10-0/log/error.org
Error: acs-mail-lite::smtp: error 430: 4.7.0 Must issue a STARTTLS command first while executing
smtp::sendmessage ::mime::1 -originator bounce77654.15276063100.1-675+1742004532+96D0CC35CC4A1B7A86E73A0C03F1383C94ED8311@celtic-arts.org> -header {From smtpuserID@celtic-arts.org} -header {Reply-To ismtpuserID@celtic-arts.org} -header {To xxxx@yyyyy.com} -servers smtp.celtic-arts.org -ports 587 -username smtpuserID@celtics-arts.org -password ccccccc}
[07/Mar/2025:21:08:52][77654.719a1ffff6c0][-conn:oacs-5-10-0:default:0:17-] Error: Error sending registration confirmation to xxxxx@labmaster.com: 430: 4.7.0 Must issue a STARTTLS command first
Collapse
2: Re: Email SMTP Port 587 (response to 1)
Posted by Gustaf Neumann on 03/10/25 10:32 AM
Question: how/who starts STARTTLS?

STARTTLS is a command sent during the SMTP conversation (as defined in RFC 3207) to upgrade an existing plain text connection (typically on port 25) to a TLS-encrypted connection. It is not a command you execute at the command line like “HELO” or “RCPT”, but rather a message that the mail client sends to the server during the SMTP handshake.

When i try to understand what you did, a few more things make me wonder:

make command with path to /usr/local/ns/bin

It’s not entirely clear what you mean by this. The recommended method to install NaviServer modules is to use the “install‑ns” script and specify the desired module in the “ns_modules” list, as described in the Install OpenACS with NaviServer from Scratch instructions.

smtpdport ""
Probably, you refer here to the standard NaviServer configuration file. If you look into this file, you will see:
ns_section ns/server/${server}/modules {
    if {$smtpdport ne ""} {ns_param nssmtpd nssmtpd}
}
This means that the nssmtpd module is loaded only if the variable “smtpdport” is not empty. A common configuration sets “smtpdport” to “2525", either via command line when starting the server, or by altering the default value in the file.

Without specifying smtpdport in this setup, you are not using the nssmtpd module at all.

If it is really necessary to debug the setup, activate the log severity "Debug(smtpd)" [2]. You can do this via GUI from nsstats via "Logging->Log Levels".

Hope, this helps.
-g

[1] https://datatracker.ietf.org/doc/html/rfc3207
[2] https://openacs.org/forums/message-view?message_id=5704005

Collapse
3: Re: Email SMTP Port 587 (response to 1)
Posted by Tyge Cawthon on 03/12/25 08:03 PM
Gustaf,
Thank you for your suggesting with using install-ns.sh when creating the nssmtpd.so file

We initially created the nssmtpd.so via naviserver process because the install-ns.sh did not create the nssmtpd.so file.

We investigated why the install-ns.sh did not create the nssmtpd.so file.
Here is what we found.
line 48
ns_modules=${ns_modules:-}
The variable ${ns_modules:-} at this location in the code is blank.

What is the proper method to create a module using install-ns.sh?

Collapse
4: Re: Email SMTP Port 587 (response to 1)
Posted by Gustaf Neumann on 03/13/25 11:28 AM
> What is the proper method to create a module using install-ns.sh?

See the instructions on the wiki page or in the README file on GitHub. When calling "bash install-ns.sh" without further arguments, you get the listing of configuration variables in the first column of the SETTINGS section. E.g. 

$ bash install-ns.sh
...
SETTINGS   build_dir              (Build directory)                 /usr/local/src
           ns_install_dir         (Installation directory)          /usr/local/ns
           version_ns             (Version of NaviServer)           4.99.31
           git_branch_ns          (Branch for git checkout of ns)   main
           version_modules        (Version of NaviServer Modules)   4.99.31
           version_tcllib         (Version of Tcllib)               1.20
           version_thread         (Version Tcl thread library)      
           version_xotcl          (Version of NSF/NX/XOTcl)         2.4.0
           version_tcl            (Version of Tcl)                  8.6.16
           version_tdom           (Version of tDOM)                 0.9.5
           ns_user                (NaviServer user)                 nsadmin
           ns_group               (NaviServer group)                nsadmin
                                  (Make command)                    make
                                  (Type command)                    type -p
           ns_modules             (NaviServer Modules)              nsdbpg
           with_mongo             (Add MongoDB client and server)   0
           with_postgres          (Install PostgreSQL DB server)    1
           with_postgres_driver   (Add PostgreSQL driver support)   1
           with_ns_deprecated     (NaviServer with deprecated cmds) 1
           with_system_malloc     (Tcl compiled with system malloc) 0
           with_debug_flags       (Tcl and nsd compiled with debug) 0
           with_ns_doc            (NaviServer documentation)        1

           pg_user                (PostgreSQL user)                 postgres
                                  (PostgreSQL include)              /opt/local/include/postgresql16/
                                  (PostgreSQL lib)                  /opt/local/lib/postgresql16/
                                  (PostgreSQL Packages)             postgresql16 postgresql16-server
The value of these configuration variables can be changed from the command line. In order to add the module "nssmtpd", we can call the script like in the following example: 

$ ns_modules="nsdbpg nssmtpd" bash install-ns.sh
...
SETTINGS   build_dir              (Build directory)                 /usr/local/src
...
           ns_modules             (NaviServer Modules)              nsdbpg nssmtpd
...

But note, as it looks to me, the problem that you reported was not due to an incorrect installation of the nssmtpd module, but due to the fact, that you did not specify the "smtpdport" in the NaviServer configuration file.

You can set the "smtpdport" similarly as above from the command line, prefixed with "oacs_" as the following example, based on the configuration file that is provided via install-oacs.sh: 

$ sudo oacs_smtpdport=2525 /usr/local/ns/bin/nsd -i -t /usr/local/ns/config-oacs-5-10-0.tcl -u nsadmin -g nsadmin
...
[-main:conf-] Notice: setting hostname to 'localhost' from default configuration
[-main:conf-] Notice: setting ipaddress to '127.0.0.1' from default configuration
[-main:conf-] Notice: setting httpport to '8000' from default configuration
[-main:conf-] Notice: setting httpsport to '' from default configuration
[-main:conf-] Notice: setting nscpport to '' from default configuration
[-main:conf-] Notice: setting smtpdport to '2525' from environment variable
[-main:conf-] Notice: setting server to 'oacs-5-10-0' from default configuration
[-main:conf-] Notice: setting serverroot to '/var/www/oacs-5-10-0' from default configuration
....
[-main:conf-] Notice: Use Tcl thread library /usr/local/ns/lib/thread2.8.11/libthread2.8.11.so
...
[-main:conf-] Notice: nsd.tcl: finished reading configuration file.
[-main:conf-] Notice: initialized locale en_US.UTF-8 from environment variable LANG
^C

But of course, you can also update the provided configuration file to alter the default from empty to 2525, or to set the port in the "ns/server/${server}/module/nssmtpd" section.

Hope this helps
-g

Collapse
5: Re: Email SMTP Port 587 (response to 1)
Posted by Tyge Cawthon on 03/15/25 09:43 PM

Thank you for your feedback.

I misunderstood how to use the command line version_ns=GIT

Using the example provide on the OpenACS website, and from a fresh install, I executed the following command.

[root@install-ns]# version_ns=GIT  \
build_dir=/usr/local/src/modules/nssmtpd \
ns_modules=”nssmtpd” \
bash install-ns.sh build

This is the message from that execution:

Already on 'main'
Your branch is up to date with 'origin/main'.
Cloning into '”nssmtpd”'...
remote: Repository not found.
fatal: repository 'https://github.com/naviserver-project/”nssmtpd”/' not found

Hence, the question "how to properly create the nssmtpd.so file"

I did test your command from a fresh install. The results worked perfectly.

[root]# ns_modules="nsdbpg nssmtpd" bash install-ns.sh build

nssmtpd.so fixed. Thank you.

We are still having configuration issues. We have tried a number of things with no success.

Our setup is.
Two physical servers, about 300 miles from apart each other.

  1. OpenACS server
  2. actual Email server

OpenACS is configured as follows:

ACS Mail Services Lite  Parameter
Rollout support - 
EmailDeliveryMode - changed from default to nssmtpd

This is the only change done in ACS Mail Services Lite GUI

/usr/local/ns/config.tcl
lines we changed
    smtpdport   587
#
# Sample configuration for the nssmtpd module.
#
# To use this, it is necessary to install the NaviServer nssmtpd
# module first, and to provide a nonempty "smtpdport" below, and set
# the package parameter "EmailDeliveryMode" in the acs-mail-lite
# package to "nssmtpd". See: https://openacs.org/xowiki/outgoing_email
#
# 
ns_section "ns/server/${server}/module/nssmtpd" {
    ns_param port $smtpdport
    ns_param address 127.0.0.1
    ns_param relay localhost:25
    ns_param spamd localhost
    ns_param initproc smtpd::init
    ns_param rcptproc smtpd::rcpt
    ns_param dataproc smtpd::data
    ns_param errorproc smtpd::error
    ns_param relaydomains "localhost"
    ns_param localdomains "localhost"
    
    #
    # Next section is for STARTTLS functionality:
    #
    #ns_param certificate "pathToYourCertificateChainFile.pem"
    #added by Tyge
    #ns_param certificate "${serverroot}/etc/certfile.pem" 
    ns_param certificate "/var/www/oacs-5-10-0/etc/certfile.pem"    
    #ns_param cafile ""
    #ns_param capath ""
    #ns_param ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"

    ns_param logging on ;# default: off
    ns_param logfile ${logdir}/smtpsend.log
    ns_param logrollfmt %Y-%m-%d ;# format appended to log filename
    #ns_param logmaxbackup 100 ;# 10, max number of backup log files
    #ns_param logroll true ;# true, should server log files automatically
    #ns_param logrollonsignal true ;# false, perform roll on a sighup
    #ns_param logrollhour 0 ;# 0, specify at which hour to roll
}

ns_section ns/server/${server}/modules {
    if {$smtpdport ne ""} {ns_param nssmtpd nssmtpd}
}

We changed ns_param address and ns_param port to the public ip and port of the mail server and tried various combinations of the mail servers domain in relaydomains, localdomains, and relay but always get an error.

/var/www/oacs-5-10-0/log/error.log

Error: Ns_SockBinderListen: sendmsg() failed: sent 53 bytes, 'Cannot assign requested address'
Error: nssmtpd:0: failed to listen on ip-address:port: Cannot assign requested address

where ip-address and port are from ns_param address and ns_param port

smtpsend.log

-conn:oacs-5-10-0:default:0:3- 000 CONNECT_FAILURE [localhost]:25 1.405307 0 bounce340288.40686728395.1-892+1742590661+17483600470EE754FB7CC497100117047873E3C9@celtic-arts.org> RCPT: xxxx@labmaster.com

We do not know where "[localhost]:25" is coming from. We ended up modifying each of the ns_params (relay, spamd, relaydomains, etc) to see what would make a difference, but it did not change the error message

Collapse
6: Re: Email SMTP Port 587 (response to 1)
Posted by Gustaf Neumann on 03/17/25 11:16 AM

Let me explain, what the following command does:

# version_ns=GIT  build_dir=/usr/local/src/modules/nssmtpd ns_modules=”nssmtpd” bash install-ns.sh build

The command builds and installs NaviServer with its necessary environment (Tcl, etc.) with only the nssmtpd module.

In detail, the parameter mean:

  • version_ns=GIT tells the script to use the very latest NaviServer version from the Git repository – essentially the “catch of the day”. The advice for beginners is to use the released versions (by omitting version_ns or by specifying a released version) unless you have a specific reason to use the latest unreleased version.

  • build_dir=/usr/local/src/modules/nssmtpd tells the script to use the specified directory as a place for all source files (such as TCL, NaviServer, TDOM, XOTcl, Tcllib, and other modules), where they are downloaded, extracted, compiled, etc. Only modify this if you need separate build trees (for instance, when working with different versions of Tcl like 8.5, 8.6, and 9).

  • ns_modules="nssmtpd" this restricts the build to include only the specified module - in this case, nssmtpd. By excluding the PostgreSQL module (which is normally included when PostgreSQL support is enabled), you risk breaking OpenACS unless you have previously built an installation with the same configuration/build tree.

We do not know where "[localhost]:25" is coming from.

This address is derived from your configuration file, specifically from the value of the relay parameter. Here’s a breakdown of how the nssmtpd module integrates with OpenACS

Basic Architecture

The nssmtpd module acts as an SMTP server that forwards all incoming mail to a “real” SMTP server defined by the relay parameter in the module/nssmtpd section of the configuration file

    A OpenACS (Sender) → B (nssmptd, 127.0.0.1:smtpdport) → C (relay, localhost:25)

Workflow in an OpenACS Environment:

  • A (OpenACS, the sender): Generates and sends the email.
  • B (nssmtpd): Listens on the loopback address 127.0.0.1 and the specified smtpdport, provides an API, and acts as an intermediary.
  • C (Relay SMTP Server): The actual SMTP server (commonly Postfix) that handles the final email delivery.

Default Configuration Assumptions:

  • Specifying smtpdport in the NaviServer configuration file loads the nssmtpd module, which then listens on the loopback interface at that port (B).
  • The actual SMTP server (C, typically Postfix) is expected to be running on localhost port 25.
  • OpenACS passes emails to nssmtpd using the API (actually ns_smtpd send ...), which then forwards the message to the real SMTP server for delivery.

Make sure you have a properly configured and working SMTP server on your system (like Postfix) that is set up to forward mail to your provider, or to send mail directly from your host. Since mail configurations can vary widely, using a well-supported mail server is generally the simplest approach. Provider usually offer configuration guidelines for this.

Bypassing the local mail server and using a different relay in the nssmptd configuration instead of localhost:25 is possible when the target mail server allows this.

Hope, this helps,
-g

Collapse
7: Re: Email SMTP Port 587 (response to 1)
Posted by Tyge Cawthon on 03/18/25 11:51 PM
Excellent explanation. Thank you very much.

Our main Postfix Email server is external and is a differnet server then our OpenACS server.
As you know, to connect to a Postfix email server requires
Hostname
User name
password
Port 587

We know our Postfix email server works properly in that this is how devices sending and receiving emails from our Postfix servers work today.

It appears from reading your comments that an email server must be running on the same local server as OpenACS.
Just to verify my understanding.
Is it possible to connect OpenACS/NaviServer to an external Postfix email server without running Postfix (or some other email server) on the local OpenACS server?

Basically can we setup OpenACS similar as setting up the Thunderbird application; No localhost port 25 however,
relay to smtp.celtic-arts.org port 587 with user name and password for Authentication.
Or does nnsmtpd require an email server to be running on the local server as OpenACS using port 25 to relay to another external email server (Postfix)?

Trying to avoid having to support two Postfix email servers.

my reference:
https://bitbucket.org/naviserver/nssmtpd/src/main/

Our conifg.tcl file

smtpdport 587
#
ns_section "ns/server/${server}/module/nssmtpd" {
ns_param port $smtpdport
ns_param address smtp.labmaster.com
ns_param relay smtp.labmaster.com:587
ns_param spamd localhost
ns_param initproc smtpd::init
ns_param rcptproc smtpd::rcpt
ns_param dataproc smtpd::data
ns_param errorproc smtpd::error
ns_param relaydomains "smtp.labmaster.com"
ns_param localdomains "smtp.labmaster.com"

#
# Next section is for STARTTLS functionality:
#
ns_param certificate "pathToYourCertificateChainFile.pem"
#added by Tyge
#ns_param certificate "${serverroot}/etc/certfile.pem"
#ns_param certificate "/etc/letsencrypt/live/celtic-arts.org/fullchain.pem"
#"/var/www/oacs-5-10-0/etc/certfile.pem"
ns_param cafile ""
ns_param capath ""
ns_param ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE

Error:
"Must issue a STARTTSL command first"

We receive this error message with and without the ns_param certificate in use.
When using the pem file, we use the fully pem file used for HTTPS

Questions:
what pem file should we be using in the ns_param certificate?

Are these values correct? We are not sure what these are used for.
ns_param cafile ""
ns_param capath ""