Error after using certificate with SASL / SMTP server


#1

I used the letsencrypt.org keys with my postfix 3.1.0 so I can use SASL encryption on port 587 in lieu of the insecure plaintext password method on port 25.

I like to test my systems via the command line…

$ openssl s_client -starttls smtp -connect sellfam.com:587

CONNECTED(00000003)
depth=1 /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0

Certificate chain
0 s:/CN=sellfam.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Server certificate
-----BEGIN CERTIFICATE-----
MIIF/TCCBOWgAwIBAgISA1mxac7DD/5HN9Z0qYnIWlZCMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA5MTYwNTU4MDBaFw0x
NjEyMTUwNTU4MDBaMBYxFDASBgNVBAMTC3NlbGxmYW0uY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5E+bPIUJEqeNq+pGekd4XDIGpi5LgwolMx4k
pFfGL09w3RwTdHj2JpbxngaNGE3Hut7qwMrioyRjnPiWJLPSWeZ0IV9Nkav4hyuU
hMvBCX4M5FccqjQBoHTBuaE1552I70uOZJTaDPe9sa0St7ZsGjFLgiVwJ0amSi/U
gz6Oecz/T18NfCMwIgT/sG1lha/wsmRZXbf79gFoscw76lp7lyTMBpqvwk5r696S
SfurFGBICrQ8KLiuBFTOeNL4FF/e42tmlRBv6Eqt9Tz6wEt5+ZjSZ5yUOHMROXx+
F7v3dSbp7FsceTKSH0I9vIZuUzOha8BMjRAm5qwHx7NE0ynDuQIDAQABo4IDDzCC
AwswDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRV6WlQ7hitERzi3ufPcIobXQgJdTAf
BgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBwBggrBgEFBQcBAQRkMGIw
LwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcv
MC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzCCARcGA1UdEQSCAQ4wggEKghhjaGVyb2tlZW5ld3Rlc3RhbWVudC5jb22CDmN1
cnRpc3NlbGwuY29tgg5jdXJ0aXNzZWxsLm9yZ4IRZ2VuZXhwcm9kdWN0cy5jb22C
Cmd1d2luLmluZm+CC3NlbGxmYW0uY29tgg90aW1vdGh5bGVnZy5jb22CHHd3dy5j
aGVyb2tlZW5ld3Rlc3RhbWVudC5jb22CEnd3dy5jdXJ0aXNzZWxsLmNvbYISd3d3
LmN1cnRpc3NlbGwub3JnghV3d3cuZ2VuZXhwcm9kdWN0cy5jb22CDnd3dy5ndXdp
bi5pbmZvgg93d3cuc2VsbGZhbS5jb22CE3d3dy50aW1vdGh5bGVnZy5jb20wgf4G
A1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUF
BwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4M
gZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJl
bHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENl
cnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9y
Zy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAW1m3kWx1SJ+0q/b2OtCU
L0axMf5M9SbQ1WY6OWjfy3oYKanV5/KlhPL+Vmk58RSY9pUXtl8k1pISdQGyrUs2
a8OzvAPEWarolewE8ZJDvWB/IFtd4omiaKdsx3uoFAumcEgKTeUlXEAHnJO5mD1J
ANc2CPKENZqoMxgrqtB7rKnMbNFba32Ab+3uv5u2PqVJz0DGOca6y7PUw3LqqmEG
+e4LhzqJkw3UYz54gmfZC1OqcuwSJVC5ID3vYpY1j8K91InDURzVZgDpY7yCc5y5
FIao+OUBEoNojWN7DzSK/r6RvInHEy2cOBh58NX9t+JuyjVtUItKY1fF7a86sEvh
qA==
-----END CERTIFICATE-----
subject=/CN=sellfam.com
issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

No client certificate CA names sent

SSL handshake has read 3873 bytes and written 491 bytes

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 7157A24368ECDDE735427290E479ECD18C36B3B9941D14D24BE630B0422C2FE2
Session-ID-ctx:
Master-Key: 9977D961E88ED5E32A758A96E999F96F4B8FC679E2C130538AFED31864195390867CDE33EAEB4FFBA5EEA2C43AD41807
Key-Arg : None
Start Time: 1480806867
Timeout : 300 (sec)
Verify return code: 0 (ok)

250 DSN
HELO sellfam.com
250 sellfam.com
AUTH LOGIN
334 VXNlcm5hbWU6
bGVnZ0B0aW1vdGh5bGVnZy5jb20=
334 UGFzc3dvcmQ6
WW91IHdvdWxkIGxvb2sgdGhpcyB1cA==
235 2.7.0 Authentication successful
MAIL FROM: tdlspammenot@timothylegg.com
250 2.1.0 Ok
RCPT TO: timothynospamlegg@gmail.com
RENEGOTIATING
depth=1 /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
data
554 5.5.1 Error: no valid recipients

I am not sure why this is not operating… Any suggestions? I don’t know what any of this below (and including) the word NEGOTIATING means. Could somebody simplify this, or even better instruct my what I need to do to fix this?

Thanks


#2

Based on the output, it seems you’re not sending the intermediate certificate. Use fullchain.pem instead of just cert.pem.

For the renegotiating message, s_client sees “R” at the start of any input line as a request to renegotiate the encryption. Use a lowercase “r” in the “rcpt to” line. Alternately, you can test with a different tool like gnutls-cli.

Also, it looks like there’s a nice testing tool at https://ssl-tools.net/mailservers you can use to verify things as well.


#3

If you look at the “Certificate chain”, there are two certificates send, including the intermediate.

Sometimes on some *nix versions, for the correct validation with the OpenSSL CLI commands, you’d need to add the correct -CApath to the command line. Why? Beats me. But if you do that, it validates perfectly most of the time.


#4

This is what is in the /etc/postfix/main.cf

smtpd_tls_cert_file=/etc/letsencrypt/live/sellfam.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/sellfam.com/privkey.pem

I don’t know about the openssl parameter. The way postfix interacts with openssl is a level of knowledge on par with the developers.


#5

Thanks for the cool website. I knew something like that must exist, but didn’t know where to look. Many want the password I assigned for the account, which I didn’t trust them with

https://ssl-tools.net/mailservers/sellfam.com

It says I have a hostname mismatch. I have no idea exactly which name mismatches. I really wish this was more descriptive. Is that because the hostname command doesn’t include the TLD?

$ hostname
sellfam

when it should be sellfam.com? In postfix, $mydomain is assigned to sellfam.com, which seems like a good value.


#6

The mismatch error is because it’s connecting to “mail.sellfam.com” but the certificate does not have that name as one of the ones for which it is valid.


#7

And it’s connecting to mail.sellfam.com because that’s the MX record for sellfam.com.

But that’s another (and actually the only) problem you’re having. My OpenSSL verifies your TLS certificate, so there’s no problem with your chain.


#8

Just in case it’s not obvious from what the other posters have said, most likely the thing you need to achieve is to get a certificate (from Let’s Encrypt probably) for the name other mail servers call this machine by, which is mail.sellfam.com

Somebody else’s mail system (say, Google mail) wants to deliver email to you, it asks DNS for the MX, and it gets told mail.sellfam.com is the place, so then it connects to mail.sellfam.com and Google says “Oh hi there, can you speak SSL so that passive snoops can’t read all this mail I’m delivering?” and mail.sellfam.com currently says “Sure I can, here is a certificate for sellfam.com” but the remote system really expects to see a certificate for mail.sellfam.com because that’s the exact name of the machine it thinks it is talking to. Now, it happens those are just different names for the same machine, but you can’t expect everybody’s mail service to know that.

As much as possible certificates you use should reflect all the names you expect to be used for the machine presenting the certificate. So e.g. if there’s also a DNS entry for imap.sellfam.com (there isn’t) you would also want to put imap.sellfam.com in the certificate. There are other ways to do it, but this is effective and simplest to understand. I see the most recent certificates for sellfam.com list several other names already, so you hopefully already know how to add more names.


#9

You definitely need to work on your cipher list. You should enforce cipher order by server and choose only secure ciphers, at least no completely unsecure ciphers. I’d suggest to use something like https://testssl.sh for testing on your own.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.