CA certificates are missing

nigihayami · August 8, 2024, 12:31am

I use letsencrypt for my server Postfix, but when i try to configure smtp i have a missing message;
in main.cf i have ;

smtp_tls_CAfile = 
smtp_tls_CApath= /etc/ssl/certs/

And when i try to connect i have this ;

 openssl s_client  -connect mail.example.fr:465
CONNECTED(00000003)
406766E2C4700000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 316 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

i don't understand anything at this time, may you can help me?

Bruce5051 · August 8, 2024, 1:04am

Hi @nigihayami,

Port 465 is closed.

Maybe example isn’t your actual domain name?
If not please provide your actual domain name.

nigihayami · August 8, 2024, 1:14am

no it's a fake domain name

Bruce5051 · August 8, 2024, 1:15am

What is the real domain name so we can test?

nigihayami · August 8, 2024, 1:16am

All right it's mail.kohaku.fr

Bruce5051 · August 8, 2024, 1:17am

Also here is an online tool to help SSL Checker

Bruce5051 · August 8, 2024, 1:18am

nigihayami · August 8, 2024, 1:25am

gilles@kohaku:~$ nmap -Pn -p25,80,143,443,465,587,993 mail.kohaku.fr
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-08 03:24 CEST
Nmap scan report for mail.kohaku.fr (194.248.167.97)
Host is up.
Other addresses for mail.kohaku.fr (not scanned): 2a01:cb00:17d1:9f00:9f7b:e5f4:c984:28bc
rDNS record for 194.248.167.97: 97.167.248.194.static.cust.telenor.net

PORT    STATE    SERVICE
25/tcp  filtered smtp
80/tcp  filtered http
143/tcp filtered imap
443/tcp filtered https
465/tcp filtered smtps
587/tcp filtered submission
993/tcp filtered imaps

Nmap done: 1 IP address (1 host up) scanned in 3.13 seconds
gilles@kohaku:~$

Bruce5051 · August 8, 2024, 1:26am

I do not see any open ports using Open Port Check Tool - Test Port Forwarding on Your Router

@nigihayami I assume you know that be filtered or closed you will not have access to the service on the port. Thus checking the certificate remotely is difficult at best and likely impossible.

nigihayami · August 8, 2024, 1:48am

i was in a sand bank it seems to be.

Bruce5051 · August 8, 2024, 1:53am

That happens, sounds like you’ve found your way out.

MikeMcQ · August 8, 2024, 3:13am

Your IPv4 address looks from Telenor (Nordic countries and Asia)

Yet, your IPv6 address looks from Orange (France)

Does that seem right to you? My tool might be wrong but usually is right

Some of the tests above are only checking IPv4 address. I can't reach your domain on port 443 or port 465 on IPv4 or IPv6 right now but should check both once you have the right IP and the ports open.

nigihayami · August 8, 2024, 6:25am

yes that's right, but my mistakes with cryptofiles has conduct me to format and reinstall my OS, so i have the time now.

Osiris · August 8, 2024, 9:07am

I'm not sure what you're trying to achieve. These are some TLS directives for the OUTGOING SMTP CLIENT of Postfix. It does NOT enable TLS for INCOMING connections to your SMTP daemon.

The openssl s_client command you're running suggests you're testing the incoming SMTP daemon TLS setting, which is not congruent with your configuration in Postfix. At least, not what you've shown.

I do see you've gotten a certificate for your hostname: crt.sh | 13992600793. But did you also configure it in Postfix?

nigihayami · August 8, 2024, 9:44am

yes i did it, but now i have to recover my system, one backup of 50GB to be deployed. I must not edit any cert whereas it's a big mistake, 2 days lost.

nigihayami · August 10, 2024, 1:46pm

Well there are many events which append to me since the last visit.

First i have reinstalled my ubuntu 22.04 LTS and recovered the backup
My computer was in a jail so nobody could connect to it, i reinitiate my box and connexion
Due to perpetual movement of ipv6 i use a technique like this ;

 sysctl -w net.ipv6.conf.enp42s0.accept_ra=1 ; ip token set 2a01:cb00:51c:2b00:51c3:d993:7e76:43bb dev enp42s0 ;

now i have a strange connection but stable
4) I cannot connect on the smtps server at port 465, i have an error like

220 kohaku.fr ESMTP Postfix (Ubuntu)
auth login
334 VXNlcm5hbWU6
gilles
535 5.7.8 Error: authentication failed: another step is needed in authentication

i use letsencrypt for my postfix and dovecot daemons.
Now i know i must not upgrade my OS to ubuntu 24.04LTS, it's bullshited.
Best regards.

nigihayami · August 12, 2024, 10:38pm

I have finished to configure my server and everything is all right;
Linux Apache Mysql Php Postfix Dovecot Opendkim through this link:
https://www.kohaku.fr
Now i am less stupid i have learn a lot, thanks to letsencrypt i'm secured.

system · September 11, 2024, 10:38pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Lets encrypt SSL mail certificate problem with Gmail webmail Server	7	17559	January 19, 2018
LETSENCRYPT and SENDMAIL Server	2	9445	January 29, 2017
Using LE with Postfix / Dovecot POP3 SSL Server	4	7809	February 5, 2016
Intermediate certificate for Let's Encrypt Help	12	6025	December 9, 2016
Letsencrypt with postfix, can't send email Help	12	1349	November 16, 2022

CA certificates are missing

Related topics