Postfix doesn't work since last update of certificate (08/2019)

Hi,

I use a containerized version of postfix via https://github.com/tomav/docker-mailserver .
I don’t use their system to update the letsencrypt certificate , but I have caddyserver.com generating it for me.
I just restart the email server with volume mounts pointing to the newly generated cert.
The container use dovecot for imap, and it works great. But for postfix, it doesn’t.
Here are the details.

My domain is: mail.evereska.org

I ran this command: openssl s_client -connect mail.evereska.org:465

It produced this output:

CONNECTED(00000003)
140335235655320:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1567176612
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

My mail server is (include version): postfix (3.1.12-0+deb9u1)

The operating system my mail server runs on is (include version): debian 9.9 (container from https://github.com/tomav/docker-mailserver)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Thanks

Hi @dolanor

checked with my OpenSSL that works.

But: The connection uses Tls.1.3.

Is this really a good idea? May be too much mail clients without Tls.1.3 support.

Yep - checked with the -no_tls1_3 - flag, there is no connection possible.

Same error you have shared.

So your server supports only Tls.1.3, that’s too limited.

Ok, that was my idea also, but couldn’t debug it with my openssl. I guess it is too old…
Thanks for the debugging on your part.
So I guess let’s encrypt can’t really be used for email server for now? And I should downgrade to a classic certificate provider?

That’s not a problem using Letsencrypt or another CA.

It’s a problem your mail server uses only the (too new) Tls.1.3.

You can use a certificate with Tls.1.0, 1.1, 1.2 and 1.3. But you shouldn’t use a SSL-configuration only with Tls.1.3 allowed.

How did you get your server-side configuration for Postfix? That’s where this is set (not in the certificate itself).

You might also want to try

https://ssl-config.mozilla.org/

which is able to generate recommended configurations for Postfix. (This is what we try to use for Certbot’s default for Apache and ngnix configurations when Certbot is creating them.)

Thank you very much helping me figure out this issue, because it’s quite problematic, I receive pro emails on it.

The configuration is from the tomav/docker-mailserver container. I tried the config from mozilla to no avail (I replaced every field from the mozilla config into the config from the container).

here is the generated config from the container. It used to work for 2 years with certs generated from letsencrypt:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name (Debian)
biff = no
append_dot_mydomain = no
readme_directory = no

# Basic configuration
# myhostname =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, localhost.$mydomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 172.20.0.2/32
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.evereska.org/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.evereska.org/privkey.pem
#smtpd_tls_CAfile=
#smtp_tls_CAfile=
smtpd_tls_security_level = may
smtpd_use_tls=yes
smtpd_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_loglevel = 1
tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
tls_preempt_cipherlist = yes
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
smtpd_tls_CApath = /etc/ssl/certs
smtp_tls_CApath = /etc/ssl/certs

# Settings to prevent SPAM early
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_policy_service inet:127.0.0.1:10023
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
disable_vrfy_command = yes

# Postscreen settings to drop zombies/open relays/spam early
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3
	bl.mailspike.net
	b.barracudacentral.org*2
	bl.spameatingmonkey.net
	bl.spamcop.net
	dnsbl.sorbs.net
	psbl.surriel.com
	list.dnswl.org=127.0.[0..255].0*-2
	list.dnswl.org=127.0.[0..255].1*-3
	list.dnswl.org=127.0.[0..255].[2..3]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
postscreen_bare_newline_action = enforce

# SASL
smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $mydomain
broken_sasl_auth_clients = yes

# Mail directory
virtual_transport = lmtp:unix:/var/run/dovecot/lmtp
virtual_mailbox_domains = /etc/postfix/vhost, ldap:/etc/postfix/ldap-domains.cf
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf, ldap:/etc/postfix/ldap-groups.cf

# Additional option for filtering
content_filter = smtp-amavis:[127.0.0.1]:10024

# Milters used by DKIM
milter_protocol = 6
milter_default_action = accept
dkim_milter = inet:localhost:8891
dmarc_milter = inet:localhost:8893
smtpd_milters = $dkim_milter,$dmarc_milter
non_smtpd_milters = $dkim_milter

# SPF policy settings
policyd-spf_time_limit = 3600

# Remove unwanted headers that reveail our privacy
smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
myhostname = mail.evereska.org
mydomain = evereska.org
message_size_limit = 52428800
compatibility_level = 2

I don’t use such a configuration, so I don’t know the details.

But that

looks good.

So it looks this configuration isn’t used, instead there is a completely different configuration used.

I can’t post my postconf because it is too big, but it seems it has taken those parameters into account. So there must be some conflict in the config?
Here is the copy of it: https://framabin.org/p/?b3ba810599f2aee5#Xutp108O275eV5q1lk7h+22D2xhDV0U0Ps+hZFPVZ/U=

I couldn’t fix it for now, so I used a classic “paid for” certificate which is working as is with the configuration. But if anyone could help me get back to letsencrypt, I’d be glad!

1 Like

Here is a brute-force, bad idea to test things. Copy the “paid for” working certificates to a safe place, then copy the LE certificates “on top of” the paid-for, working certificates. Restart Postfix. If things work, then the problem is with your configuration. If things don’t work, then copy the working “paid for” certificates back in place, eat a sandwich, take a nap, and start over in the morning. (The last part is never a BAD idea.)

1 Like

That’s curious. A certificate has nothing to do if you use it with Tls1.0,1.1, 1.2 or 1.3. And there is no real difference between Letsencrypt and other (DV) certificates.

I would test the same what @Buffalo wrote: Change the certificate. There must be a great error in your configuration.

Well, I basically restarted my mail container without changing the config except updating the certificates with the new version updated by caddy, and it wouldn’t work anymore.
So I frankly don’t know what I did wrong?

But you must be right, because I can’t make the paid for certificate work anymore either… I’m getting lost.

Here’s my postfix main.cf file. Plunder it at will.
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA’s job.
append_dot_mydomain = no

# Uncomment the next line to generate “delayed mail” warnings
#delay_warning_time = 4h

readme_directory = no
#smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
#BKW
smtpd_relay_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination

# check_sender_access hash:/etc/postfix/blacklist,

myhostname = w5gfe.org

alias_maps = hash:/etc/aliases,
hash:/var/lib/mailman/data/aliases

alias_database = hash:/etc/aliases,
hash:/var/lib/mailman/data/aliases

myorigin = w5gfe.org

mydestination = w5gfe.w5gfe.org, w5gfe, w5gfe.org, splat.w5gfe.org, maa.w5gfe.org, ns.w5gfe.org, localhost

relayhost =

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128\ [2001:470:1f0e:9eb::]/64 192.168.1.0/24

mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

inet_protocols = ipv4, ipv6

smtpd_tls_cert_file = /etc/letsencrypt/live/w5gfe.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/w5gfe.org/privkey.pem

smtpd_use_tls = yes

smtpd_tls_session_cache_database = btree:{data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:{data_directory}/smtp_scache

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes

smtp_use_tls = yes
smtpd_tls_received_header = yes

smtpd_tls_mandatory_protocols = SSLv3, TLSv1.1, TLSv1.2, !TLSv1
smtpd_tls_mandatory_ciphers = medium

smtpd_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom

smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_invalid_hostname,
reject_non_fqdn_recipient,
check_policy_service inet:127.0.0.1:10023,
permit

proxy_interfaces = 72.24.30.146

## DKIM milter

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
# large files OK on April 19, 2016
message_size_limit = 0
compatibility_level = 2

## BlackList stuff November 23, 2018
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/BlackList

Ok, I fixed it!
For now, I will keep the “paid for” cert. If I use the latest LE certs, then the server and the client need an updated OpenSSL library.
I don’t know which one for now, but clearly $ openssl version OpenSSL 1.0.2g 1 Mar 2016 from Ubuntu 16.04 doesn’t work in the client side but openssl-1.1.1c on server+client side works.
It doesn’t seem the compatible OpenSSL version is so available (on my android it doesn’t seem either), so I’ll keep the downgraded version until I can upgrade my server with all other servers and clients able to get to understand each other.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.