Debugging postfix ssl

danjde · October 18, 2016, 3:06pm

Hi friends,
I’m setting up Postfix + Dovecot with letsencrypt certificates.
I’ve set for /etc/postfix/main.cf:

smtpd_tls_cert_file = /etc/letsencrypt/live/server.sio4.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/server.sio4.org/privkey.pem
smtpd_use_tls=yes

and for /etc/dovecot/conf.d/10-ssl.conf:

ssl_cert = </etc/letsencrypt/live/server.sio4.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/server.sio4.org/privkey.pem

Now, if I try to debug postfix behavior by swaks obtain a wrong STARTTLS output:

swaks --to john@example.org --server 91.205.175.213 --data /usr/share/doc/spamassassin/examples/sample-spam.txt

=== Trying 91.205.175.213:25...
=== Connected to 91.205.175.213.
<-  220 server.sio4.org ESMTP Postfix (Debian/GNU)
 -> EHLO server.sio4.org
<-  250-server.sio4.org
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250 DSN
 -> MAIL FROM:<vage@server.sio4.org>
<** 530 5.7.0 Must issue a STARTTLS command first
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

with no email sent result

so, if I try to debug using openssl obtain:

openssl s_client -connect 127.0.0.1:25 -no_ssl2 -bugs

CONNECTED(00000003)
140607460427408:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:782:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 517 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1476801150
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Could be a certificate problem?

Many many thanks!

cpu · October 18, 2016, 3:26pm

Hi @danjde

First up, some caveats My local testing with openssl s_client times out to both server.sio4.org and 91.205.175.213 so I wasn’t able to reproduce anything. Similarly I’m not familiar with swaks.

Postfix TLS is a real pain in the butt. I have a couple thoughts on potential fixes:

You might need to set smtpd_tls_security_level = may in order to advertise STARTTLS to clients. The docs mention that it replaces the obsolete smtpd_use_tls option.
You could try setting smtpd_tls_loglevel = 3. The different levels are explained in the docs. This should give you a lot more information to go on. I’ve also used tshark on the server in the past to help troubleshoot this sort of thing.

Good luck!

Osiris · October 18, 2016, 8:26pm

You’re actually not testing TLS. Swaks can test TLS with the -tls switch. For some reason Postfix demands TLS. You can check your settings with: postconf smtpd_tls_security_level. It should say none or may, but it probably outputs encrypt because your Postfix demands TLS.

Also, trying to connect to port 25 with openssl s_client without specifing -starttls smtp will give you obviously an error: port 25 is plain text, unless your connection gets an upgrade to TLS with STARTTLS… But s_client won’t do this automatically, you’ll have to tell it to.

Oh and the chance this is a certificate error is like, 0.000000001 %…

edit
Your Postfix is, althoug requiring TLS (which is not a very good configuration, as many mail servers won’t do TLS…), properly working TLS-wise:

osiris@desktop ~ $ openssl s_client -connect server.sio4.org:25 -starttls smtp
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = server.sio4.org
verify return:1
---
Certificate chain
 0 s:/CN=server.sio4.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGGjCCBQKgAwIBAgISA92JPCzruxa5vIcuvCrpc/KnMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMTUxNTU1MDBaFw0x
NzAxMTMxNTU1MDBaMBoxGDAWBgNVBAMTD3NlcnZlci5zaW80Lm9yZzCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKKzSiF7E7+I2xcqOonNNxWps09UvN/w
/n6O/64o2trpXAQakeYmdxow+S8W/TsLM1TLZ7gI3xOn9nsNo15+GwEb9sdrfXv6
VdjdxHw0KQ9aKu31IldITo95uV/lddCkRoCD4On0iPkbREOjSno+siCkMj5gr+xs
+1O7zLZSHfXXvhVyrUD8WQF2CWZCluP9Jab0iALX6DxjS8fdmQvK+NL+99gC9Syr
5CwBOV/qc2CTKqnj9P4ATrWcwC2znsAs9TyHc+8butLcdLRDI17h3XI8yQwpUkE4
xJNMNmRDj7zVtlPwwXyJjn9ueEDTurf314SxB0RWBmL6bAaRZjlSPSU9845Ob/MT
pxsFFxBKPAGYd6ff1HR014F+xDhJddDuIlxXcTCmuW2D1nKndW6H7T/3C4PXLc0o
1MAJMx3x/AqvlrvmfzhwEQpVQGqPV2+knbizZgwyl0TQmoCyTpRuqKuoBpbwepRJ
qt+8uhi0ioU6ueMdCCTz57sbs/I2MkTxkkhH122v6QHSwngpsAVPxISjZ4R32oRL
mDRzEnOAQpMVMxnUNinRj5SjjdOZSVNuacftdv5rdGJj1qK0nrWIVTNZ15r7MqUI
eF2YGknrnaqYTAD1IJf5MkupovvnMKMQAyXEBm85j7ACdFzj3AZXumTdpuCNVwmK
c4KXWTXyf9arAgMBAAGjggIoMIICJDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFA1M
3K0XKdi5CZ3fO++XcrFa/wt/MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/z
qOyhMHAGCCsGAQUFBwEBBGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50
LXgzLmxldHNlbmNyeXB0Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0Lmlu
dC14My5sZXRzZW5jcnlwdC5vcmcvMDIGA1UdEQQrMCmCD3NlcnZlci5zaW80Lm9y
Z4IIc2lvNC5vcmeCDHd3dy5zaW80Lm9yZzCB/gYDVR0gBIH2MIHzMAgGBmeBDAEC
ATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0
c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUg
bWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBv
bmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZv
dW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqG
SIb3DQEBCwUAA4IBAQAaJYRzvigXsGJfv1maecfChTLTcUkbeOECg9Trxc+wYpQ3
mnbrWBJbwQDE89IimMdSwzu5BuL85ndbZEkFpql9v28ih/41bnGrdNXeOYJIizGB
s5LaHKu3jweNSfrW3LmOw/Gg7AQNeOgKqCdSb9CciO4aifVWWoCZuY33vWJesIqG
6HlZZFxxW9BSZN6cr6/CnY+AMOQ0JKd1SGyvQIoxb39TuZbWgQSL/MtWd2fIMDVU
PSDilyncphPtg/gkLC2kXhyYVpFjJvJwaRSltPFd+qS9czdAbesF1xQBndO81xwj
hjzbLU/q1TBLc6Nc+EHyx4cTyp7QeCn4wx+C+v5g
-----END CERTIFICATE-----
subject=/CN=server.sio4.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3874 bytes and written 481 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: ...
    Session-ID-ctx: 
    Master-Key: ...
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
...
    Start Time: 1476822463
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 DSN
^C
osiris@desktop ~ $

danjde · October 18, 2016, 9:01pm

Well, this isn’t a certificate problem, and this is already a good news
I will investigate on other fronts.

Many many thanks for your help @cpu and @Osiris !!

ciao!

system · November 17, 2016, 9:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.