Debugging postfix ssl

danjde · October 18, 2016, 3:06pm

Hi friends,
I’m setting up Postfix + Dovecot with letsencrypt certificates.
I’ve set for /etc/postfix/main.cf:

smtpd_tls_cert_file = /etc/letsencrypt/live/server.sio4.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/server.sio4.org/privkey.pem
smtpd_use_tls=yes

and for /etc/dovecot/conf.d/10-ssl.conf:

ssl_cert = </etc/letsencrypt/live/server.sio4.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/server.sio4.org/privkey.pem

Now, if I try to debug postfix behavior by swaks obtain a wrong STARTTLS output:

swaks --to john@example.org --server 91.205.175.213 --data /usr/share/doc/spamassassin/examples/sample-spam.txt

=== Trying 91.205.175.213:25...
=== Connected to 91.205.175.213.
<-  220 server.sio4.org ESMTP Postfix (Debian/GNU)
 -> EHLO server.sio4.org
<-  250-server.sio4.org
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250 DSN
 -> MAIL FROM:<vage@server.sio4.org>
<** 530 5.7.0 Must issue a STARTTLS command first
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

with no email sent result

so, if I try to debug using openssl obtain:

openssl s_client -connect 127.0.0.1:25 -no_ssl2 -bugs

CONNECTED(00000003)
140607460427408:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:782:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 517 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1476801150
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Could be a certificate problem?

Many many thanks!

cpu · October 18, 2016, 3:26pm

Hi @danjde

First up, some caveats My local testing with openssl s_client times out to both server.sio4.org and 91.205.175.213 so I wasn’t able to reproduce anything. Similarly I’m not familiar with swaks.

Postfix TLS is a real pain in the butt. I have a couple thoughts on potential fixes:

You might need to set smtpd_tls_security_level = may in order to advertise STARTTLS to clients. The docs mention that it replaces the obsolete smtpd_use_tls option.
You could try setting smtpd_tls_loglevel = 3. The different levels are explained in the docs. This should give you a lot more information to go on. I’ve also used tshark on the server in the past to help troubleshoot this sort of thing.

Good luck!

Osiris · October 18, 2016, 8:26pm

You’re actually not testing TLS. Swaks can test TLS with the -tls switch. For some reason Postfix demands TLS. You can check your settings with: postconf smtpd_tls_security_level. It should say none or may, but it probably outputs encrypt because your Postfix demands TLS.

Also, trying to connect to port 25 with openssl s_client without specifing -starttls smtp will give you obviously an error: port 25 is plain text, unless your connection gets an upgrade to TLS with STARTTLS… But s_client won’t do this automatically, you’ll have to tell it to.

Oh and the chance this is a certificate error is like, 0.000000001 %…

edit
Your Postfix is, althoug requiring TLS (which is not a very good configuration, as many mail servers won’t do TLS…), properly working TLS-wise:

osiris@desktop ~ $ openssl s_client -connect server.sio4.org:25 -starttls smtp
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = server.sio4.org
verify return:1
---
Certificate chain
 0 s:/CN=server.sio4.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGGjCCBQKgAwIBAgISA92JPCzruxa5vIcuvCrpc/KnMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMTUxNTU1MDBaFw0x
NzAxMTMxNTU1MDBaMBoxGDAWBgNVBAMTD3NlcnZlci5zaW80Lm9yZzCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKKzSiF7E7+I2xcqOonNNxWps09UvN/w
/n6O/64o2trpXAQakeYmdxow+S8W/TsLM1TLZ7gI3xOn9nsNo15+GwEb9sdrfXv6
VdjdxHw0KQ9aKu31IldITo95uV/lddCkRoCD4On0iPkbREOjSno+siCkMj5gr+xs
+1O7zLZSHfXXvhVyrUD8WQF2CWZCluP9Jab0iALX6DxjS8fdmQvK+NL+99gC9Syr
5CwBOV/qc2CTKqnj9P4ATrWcwC2znsAs9TyHc+8butLcdLRDI17h3XI8yQwpUkE4
xJNMNmRDj7zVtlPwwXyJjn9ueEDTurf314SxB0RWBmL6bAaRZjlSPSU9845Ob/MT
pxsFFxBKPAGYd6ff1HR014F+xDhJddDuIlxXcTCmuW2D1nKndW6H7T/3C4PXLc0o
1MAJMx3x/AqvlrvmfzhwEQpVQGqPV2+knbizZgwyl0TQmoCyTpRuqKuoBpbwepRJ
qt+8uhi0ioU6ueMdCCTz57sbs/I2MkTxkkhH122v6QHSwngpsAVPxISjZ4R32oRL
mDRzEnOAQpMVMxnUNinRj5SjjdOZSVNuacftdv5rdGJj1qK0nrWIVTNZ15r7MqUI
eF2YGknrnaqYTAD1IJf5MkupovvnMKMQAyXEBm85j7ACdFzj3AZXumTdpuCNVwmK
c4KXWTXyf9arAgMBAAGjggIoMIICJDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFA1M
3K0XKdi5CZ3fO++XcrFa/wt/MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/z
qOyhMHAGCCsGAQUFBwEBBGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50
LXgzLmxldHNlbmNyeXB0Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0Lmlu
dC14My5sZXRzZW5jcnlwdC5vcmcvMDIGA1UdEQQrMCmCD3NlcnZlci5zaW80Lm9y
Z4IIc2lvNC5vcmeCDHd3dy5zaW80Lm9yZzCB/gYDVR0gBIH2MIHzMAgGBmeBDAEC
ATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0
c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUg
bWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBv
bmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZv
dW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqG
SIb3DQEBCwUAA4IBAQAaJYRzvigXsGJfv1maecfChTLTcUkbeOECg9Trxc+wYpQ3
mnbrWBJbwQDE89IimMdSwzu5BuL85ndbZEkFpql9v28ih/41bnGrdNXeOYJIizGB
s5LaHKu3jweNSfrW3LmOw/Gg7AQNeOgKqCdSb9CciO4aifVWWoCZuY33vWJesIqG
6HlZZFxxW9BSZN6cr6/CnY+AMOQ0JKd1SGyvQIoxb39TuZbWgQSL/MtWd2fIMDVU
PSDilyncphPtg/gkLC2kXhyYVpFjJvJwaRSltPFd+qS9czdAbesF1xQBndO81xwj
hjzbLU/q1TBLc6Nc+EHyx4cTyp7QeCn4wx+C+v5g
-----END CERTIFICATE-----
subject=/CN=server.sio4.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3874 bytes and written 481 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: ...
    Session-ID-ctx: 
    Master-Key: ...
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
...
    Start Time: 1476822463
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 DSN
^C
osiris@desktop ~ $

danjde · October 18, 2016, 9:01pm

Well, this isn’t a certificate problem, and this is already a good news
I will investigate on other fronts.

Many many thanks for your help @cpu and @Osiris !!

ciao!

system · November 17, 2016, 9:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Postfix Dovecot enable user authentication by encrypted password Server	21	11721	March 15, 2017
Letsencrypt with postfix, can't send email Help	12	1345	November 16, 2022
Using LE with Postfix / Dovecot POP3 SSL Server	4	7809	February 5, 2016
Postfix and Let's Encrypt Help	3	3617	December 27, 2016
Using let's encrypt certs with postfix Server	9	30711	September 20, 2016

Debugging postfix ssl

Related Topics