Debugging STARTTLS UnexpectedMessage

veracious-joey · February 19, 2025, 1:06am

I’m running into an issue where I am getting an UnexpectedMessage (or alert unexpected message using openssl) when trying to use starttls in kumomta relaying email to smtp-relay.brevo.com.

Running openssl s_client -connect smtp-relay.brevo.com:587 -starttls smtp in the kumomta container works just fine (OpenSSL 3.0.2 15 Mar 2022)

I was wondering what some recommended troubleshooting steps would be for diagnosing the issue.

Configuration is available at https://github.com/IEEE-TAMU/cluster-infra/blob/main/infra/email/email-configmap.yaml

tom · February 19, 2025, 3:35am

Not sure I see any problem with your code specifically.
KCLI is your friend when it comes to debugging tools.

you can trace a message in with

and you can trace the message out with

You can set the log filter to ‘debug’ to get a massive amount of logging in the journal

Trace it with journalctl -f -u kumomta

Mike · February 19, 2025, 9:04am

Full error message will also be helpful.

veracious-joey · February 19, 2025, 5:09pm

Here’s the error:

"content":"KumoMTA internal: failed to connect to any candidate hosts: TLS handshake with ResolvedAddress { name: \"smtp-relay.brevo.com.\", addr: 1.179.119.1 }:587 failed: received fatal alert: UnexpectedMessage",

It ended up being fixed by setting enable_tls to OprotunisticInsecure. The server’s TLS cert has a CN of “smtp-relay-offshore-us-west1-v2.brevo.com” with SANs of “DNS:smtp-relay-offshore-us-west1-v2.brevo.com, DNS:smtp-relay.brevo.com”.

Mike · February 19, 2025, 5:14pm

Good to hear.