Smtp starttls not working

I use the virtual appliance from checkmk v2 (2.0.0p15 (CME)) and I am trying to configure an active smtp check with starttls on port 25.
When I do so I get a warning: TLS not supported by server

But I know that it works because: openssl s_client -starttls smtp -connect $my.fqdn.com:25
works just fine.

Any ideas?

You need to set this checkbox:
image

I checked that box - otherwise TLS wouldn’t work on port 25 (transport encryption)

I can’t reproduce this.
I have two active checks configured, both with STARTTLS, both working. :woman_shrugging:

Your error says something else, but let me ask you anyways: Are your certificates presented global-signed or self-signed? Is the certificate chain complete?

Global signed with a wildcard, cert chain is complete

And when I test with openssl everything works fine - that wouldn’t be the case if there would be problems with the cert

Just to be clear here: the openssl s_client ... was called from the same monitoring host that executes the check?

yes - exactly. And now I write something to get 20 characters full :wink:

I found the problem probably - openssl is too old on the appliance since the appliance is based on Debian 9.

Ok, now I am on 2.1.0p10 and when I check “STARTTLS” I get “TLS not supported by this server”.

openssl s_client works fine.

I found the solution. I had to set the FQDN. Our mail-server forbids a helo like “HELO cm”, thus it failed. With the normal check there is just a 550 and it works. But with STARTTLS it kind of fails silently.