Sendmail : STARTTLS=client, relay=[127.0.0.1], version=TLSv1.3, verify=FAIL

Veuillez remplir les champs ci-dessous pour que nous puissions vous aider. Remarque : vous devez fournir votre nom de domaine pour obtenir de l’aide. Les noms de domaine des certificats émis sont tous rendus publics dans les journaux de Transparence de Certificat (par exemple, https://crt.sh/?q=example.com). Par conséquent, le fait de ne pas indiquer votre nom de domaine ici n’aide pas à le garder secret, mais rend plus difficile pour nous le fait de vous aider.

Je peux lire des réponses en Anglais : oui

Mon nom de domaine est : paxtour.net

J’ai exécuté cette commande :

Elle a produit cette sortie :
fichier mail.php

<?php $mail_to = "xxx"; $subject = "test"; $body = "ceci est un test"; $headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=utf-8' . "\r\n"; mail($mail_to, $subject, $body, $headers); ?>

Mon serveur Web est (inclure la version) : Apache/2.4.25 (Debian)

Le système d’exploitation sur lequel mon serveur Web s’exécute est (version incluse) : Debian 4.9.144-3.1 (2019-02-19) x86_64

Mon hébergeur, le cas échéant, est : OVH

Je peux me connecter à un shell root sur ma machine (oui ou non, ou je ne sais pas) : oui

J’utilise un panneau de configuration pour gérer mon site (non, ou fournit le nom et la version du panneau de configuration) :

tail -n100 /var/log/mail.log

Apr 10 07:16:51 paxtour sm-mta[15195]: 03A5GpuA015195: — 220 2.0.0 Ready to start TLS
Apr 10 07:16:51 paxtour sendmail[15194]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Apr 10 07:16:51 paxtour sm-mta[15195]: STARTTLS=server, get_verify: 0 get_peer: 0x0
Apr 10 07:16:51 paxtour sm-mta[15195]: STARTTLS=server, relay=localhost [127.0.0.1], version=TLSv1.3, verify=NOT, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Apr 10 07:16:51 paxtour sm-mta[15195]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok

pourquoi, j’ai un verify=FAIL ?

Hi @obrochard

checking your mail ports isn’t possible, these ports don’t answer - https://check-your-website.server-daten.de/?q=paxtour.net#portchecks

But:

Supports your PHP Tls.v.1.3? Check, if Tls.v.1.2 is active.

And do you use the correct domain name?

If you connect the ip address, the certificate is invalid, because the certificate doesn’t contain an ip address as domain name.

  1. paxtour.

OVH : Web solution : 51.77.210.94
domain : paxtour.net

OVH VPS server : 85.170.195.235

OVH Web solution redirect traffic to OVH VPS

To prevent issue on mail :
I configure “reverse IP” on OVH VPS Server with paxtour.net
=> it’s function is enable with OVH GUI on my VPS server.

  1. Same issue with sendmail

TLS v1.3 on PHP is not root cause, i have the same issue with command send mail

echo “Subject:Hello Olivier !” | sendmail xxxxxx@gmail.com

Apr 11 09:24:25 paxtour sm-mta[11663]: NOQUEUE: connect from localhost [127.0.0.1]
Apr 11 09:24:25 paxtour sm-mta[11663]: AUTH warning: no mechanisms
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: Milter: no active filter
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: — 220 paxtour.net ESMTP Sendmail 8.15.2/8.15.2/Debian-8; Sat, 11 Apr 2020 09:24:25 +0200; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: <-- EHLO paxtour.net
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: — 250-paxtour.net Hello localhost [127.0.0.1], pleased to meet you
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: — 250-ENHANCEDSTATUSCODES
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: — 250-PIPELINING
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: — 250-EXPN
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: — 250-VERB
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: — 250-8BITMIME
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: — 250-SIZE
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: — 250-DSN
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: — 250-ETRN
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: — 250-STARTTLS
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: — 250-DELIVERBY
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: — 250 HELP
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: <-- STARTTLS
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: — 220 2.0.0 Ready to start TLS
Apr 11 09:24:25 paxtour sendmail[11662]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Apr 11 09:24:25 paxtour sm-mta[11663]: STARTTLS=server, get_verify: 0 get_peer: 0x0
Apr 11 09:24:25 paxtour sm-mta[11663]: STARTTLS=server, relay=localhost [127.0.0.1], version=TLSv1.3, verify=NOT, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Apr 11 09:24:25 paxtour sm-mta[11663]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok
Apr 11 09:24:25 paxtour sm-mta[11663]: AUTH warning: no mechanisms
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWm011663: <-- EHLO paxtour.net
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: — 250-paxtour.net Hello localhost [127.0.0.1], pleased to meet you
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: — 250-ENHANCEDSTATUSCODES
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: — 250-PIPELINING
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: — 250-EXPN
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: — 250-VERB
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: — 250-8BITMIME
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: — 250-SIZE
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: — 250-DSN
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: — 250-ETRN
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: — 250-DELIVERBY
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: — 250 HELP
Apr 11 09:24:25 paxtour sm-mta[11663]: STARTTLS=read, info: fds=8/4, err=2
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: <-- MAIL From:root@paxtour.net SIZE=24
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: — 250 2.1.0 root@paxtour.net… Sender ok
Apr 11 09:24:25 paxtour sm-mta[11663]: STARTTLS=read, info: fds=8/4, err=2
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: <-- RCPT To:o.brochard@gmail.com
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: — 250 2.1.5 o.brochard@gmail.com… Recipient ok
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: <-- DATA
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: — 354 Enter mail, end with “.” on a line by itself
Apr 11 09:24:25 paxtour sm-mta[11663]: STARTTLS=read, info: fds=8/4, err=2
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: from=root@paxtour.net, size=295, class=0, nrcpts=1, msgid=202004110724.03B7OPHi011662@paxtour.net, proto=ESMTPS, daemon=MTA-v4, relay=localhost [127.0.0.1]
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWn011663: — 250 2.0.0 03B7OPWn011663 Message accepted for delivery
Apr 11 09:24:25 paxtour sm-mta[11663]: STARTTLS=read, info: fds=8/4, err=2
Apr 11 09:24:25 paxtour sendmail[11662]: 03B7OPHi011662: to=xxxxxx@gmail.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30024, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (03B7OPWn011663 Message accepted for delivery)
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWo011663: <-- QUIT
Apr 11 09:24:25 paxtour sm-mta[11663]: 03B7OPWo011663: — 221 2.0.0 paxtour.net closing connection
Apr 11 09:24:25 paxtour sm-mta[11665]: 03B7OPWn011663: makeconnection (gmail-smtp-in.l.google.com. [IPv6:2a00:1450:400c:c06:0:0:0:1a]) failed: Network is unreachable
Apr 11 09:24:25 paxtour sm-mta[11665]: 03B7OPWn011663: SMTP outgoing connect on paxtour.net
Apr 11 09:24:25 paxtour sm-mta[11665]: STARTTLS: CRLFile missing
Apr 11 09:24:25 paxtour sm-mta[11665]: STARTTLS=client, init=1
Apr 11 09:24:25 paxtour sm-mta[11665]: STARTTLS=client, start=ok
Apr 11 09:24:25 paxtour sm-mta[11665]: STARTTLS=client, info: fds=7/6, err=2
Apr 11 09:24:25 paxtour sm-mta[11665]: STARTTLS: TLS cert verify: depth=1 /C=US/O=Google Trust Services/CN=GTS CA 1O1, state=0, reason=unable to get local issuer certificate
Apr 11 09:24:25 paxtour sm-mta[11665]: STARTTLS=client, get_verify: 20 get_peer: 0x5609d5946930
Apr 11 09:24:25 paxtour sm-mta[11665]: STARTTLS=client, relay=gmail-smtp-in.l.google.com., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Apr 11 09:24:25 paxtour sm-mta[11665]: STARTTLS=client, cert-subject=/C=US/ST=California/L=Mountain+20View/O=Google+20LLC/CN=mx.google.com, cert-issuer=/C=US/O=Google+20Trust+20Services/CN=GTS+20CA+201O1, verifymsg=unable to get local issuer certificate
Apr 11 09:24:25 paxtour sm-mta[11665]: STARTTLS=read, info: fds=7/6, err=2
Apr 11 09:24:25 paxtour sm-mta[11665]: STARTTLS=read, info: fds=7/6, err=2
Apr 11 09:24:25 paxtour sm-mta[11665]: STARTTLS=read, info: fds=7/6, err=2
Apr 11 09:24:26 paxtour sm-mta[11665]: STARTTLS=read, info: fds=7/6, err=2
Apr 11 09:24:26 paxtour sm-mta[11665]: 03B7OPWn011663: to=o.brochard@gmail.com, ctladdr=root@paxtour.net (0/0), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=120295, relay=gmail-smtp-in.l.google.com. [64.233.167.27], dsn=2.0.0, stat=Sent (OK 1586589866 c8si3945471wmb.220 - gsmtp)
Apr 11 09:24:26 paxtour sm-mta[11665]: 03B7OPWn011663: done; delay=00:00:01, ntries=1
Apr 11 09:24:26 paxtour sm-mta[11665]: STARTTLS=read, info: fds=7/6, err=2
Apr 11 09:24:26 paxtour sm-mta[11665]: STARTTLS=client, SSL_shutdown failed: -1

Please:

Use OpenSsl to connect your mail server, then you see the certificate.

There

is no subject, no issuer visible.

Test 1

root@paxtour:/etc/letsencrypt/live/paxtour.net# ls
cert.pem chain2.pem chain.pem fullchain2.pem fullchain.pem isrgrootx1.pem privkey.pem README
root@paxtour:/etc/letsencrypt/live/paxtour.net# openssl verify -verbose -CAfile cert.pem -untrusted chain.pem cert.pem
cert.pem: OK

Test 2

root@paxtour:~# openssl s_client -showcerts -connect mail.paxtour.net:465 -servername mail.paxtour.net
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = ns0.ovh.net
verify return:1
'—
Certificate chain
0 s:OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = ns0.ovh.net
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
'-----BEGIN CERTIFICATE-----
MIIHhTCCBm2gAwIBAgIQFnM2tPve/sdlSsuZdTti+TANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G

nLgSRGjoaWXxkS8Ob09ROHIP1Blk0a+xq4qgp+tux72ydmYZ9JuxP4K4da0kRsdd
1CfZaxUPvbS6
-----END CERTIFICATE-----
1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl

yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
'-----END CERTIFICATE-----
'—
Server certificate
subject=OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = ns0.ovh.net

issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

'—
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-521, 521 bits
'—
SSL handshake has read 4359 bytes and written 568 bytes
Verification: OK
'—
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 9C08000004378F5BB394F74FC4A3BD62B5045555ADC2D480F1E9390ECF1D655F
Session-ID-ctx:
Master-Key: 5D996E758E4490932EEDE19883D3A1E3DCFAA013A03A4D9A7EAE3D4E773B09A08E4846B4AAF287BAB614CC2760393B11
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1586610700
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
'—
220 GARM-97G002 Saturday, April 11, 2020
^C
root@paxtour:~#

Test 3

root@paxtour:~# openssl s_client -starttls smtp -showcerts -connect mail.paxtour.net:465 -servername mail.paxtour.net
CONNECTED(00000003)
^C
root@paxtour:~#

???

That’s

  • not paxtour.net, it’s mail.paxtour.net
  • a Sectigo certificate
  • a certificate of your hoster, so the domain name must be wrong

So you have used the wrong domain name, so the result is expected.

Here the sendmail process (with pid 15194) is configured as local delivery agent and plays the role of the SMTP client. In its configuration file the SMTP hub/relay is the localhost. The SMTP server sm-mta (with pid 15195) should present a certificate for localhost for the SMTP client to avoid reporting verify=FAIL.
You should just disregard this message, it is rather innocent inside the system.

Thanks for your answers, i am not an expert in security.

I dont undrestand which paramaters i should be changed in my debian ?

Test 4

root@paxtour:/etc/letsencrypt/live/paxtour.net#
root@paxtour:/etc/letsencrypt/live/paxtour.net# openssl s_client -showcerts -servername paxtour.net -connect paxtour.net:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = paxtour.net
verify return:1
'—
Certificate chain
0 s:CN = paxtour.net
i:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
'-----BEGIN CERTIFICATE-----
MIIFTTCCBDWgAwIBAgISBJpBKWWSKx/ilruwCvn9qWD6MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD

svhZHBW1cVdHPEOCkpPzETQ=
'-----END CERTIFICATE-----
1 s:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
'-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT

PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
'-----END CERTIFICATE-----
2 s:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
'-----BEGIN CERTIFICATE-----
MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh

rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
'-----END CERTIFICATE-----
'—
Server certificate
subject=CN = paxtour.net

issuer=C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3

'—
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
'—
SSL handshake has read 4672 bytes and written 439 bytes
Verification: OK
'—
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 4E9F50F3D189227E05EA5387179BF9D33EFD4E098BE6E5738109231015AE2F4B
Session-ID-ctx:
Master-Key: 5148198ED76A4AB6A49C81915F78580E7A1D88817E41B3A27836215DCE2638A3711DD534C913C321AC32D5D967191138
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 93 4d 6c 38 14 2e 59 86-08 5d 3c 25 48 7e fa 37 .Ml8…Y…]<%H~.7
0010 - 47 72 80 01 ce 6e 25 5d-e0 1f e5 52 5e a2 c6 3d Gr…n%]…R^…=
0020 - f6 57 f2 16 b2 de 5c 28-1b 08 50 9a b1 34 5a f6 .W…(…P…4Z.
0030 - 78 f9 f4 0d 99 41 b6 69-f5 92 09 5d cf 12 f7 a6 x…A.i…]…
0040 - f5 87 b2 b1 82 bf 13 51-83 0d e3 85 e2 1c d6 52 …Q…R
0050 - 4f 4c 2d be 03 e9 8d 41-de 87 c5 92 a8 c6 60 b7 OL-…A…. 0060 - 3d d6 f8 f1 ef 8e d4 38-f2 1f 23 ac d9 f4 44 cf =......8..#...D. 0070 - cf b6 c1 0f f7 ae 1b 19-8b 0f be 36 a8 d3 9a 6e ...........6...n 0080 - 22 e2 7c df 86 9f d6 51-5c 32 78 b4 ab 38 21 66 ".|....Q\2x..8!f 0090 - e1 66 c4 b1 c2 df 0d 6f-9d 0a b2 ca f4 fe be 93 .f.....o........ 00a0 - 3c d1 95 aa 3b a2 9a 6f-15 40 85 e1 5a 12 f1 f5 <...;..o.@..Z... 00b0 - cc 80 35 fd 3f 1c ff 08-6e ac 5c 57 c3 cb a3 80 ..5.?...n.\W.... 00c0 - b6 4c a8 3b 90 19 84 57-39 37 52 60 a3 ac 4e 9e .L.;...W97R…N.

Start Time: 1586615853
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no

HTTP/1.1 400 Bad Request
Date: Sat, 11 Apr 2020 14:37:35 GMT
Server: Apache/2.4.25 (Debian)
Content-Length: 304
Connection: close
Content-Type: text/html; charset=iso-8859-1

400 Bad Request

Bad Request

Your browser sent a request that this server could not understand.


Apache/2.4.25 (Debian) Server at paxtour.net Port 443 closed root@paxtour:/etc/letsencrypt/live/paxtour.net#

OK, i understant, i should you an snmtp relay on my php.ini conf

[mail function]
SMTP = SSL0.OVH.NET
smtp_port = 25
username = contact@paxtour.net
password = *************
sendmail_from = contact@paxtour.net