After upgrading to ISPConfig 3.2, emails with TLS configuration stopped sending email

Discussion in 'General' started by rodrigosarri, Oct 19, 2020.

  1. rodrigosarri

    rodrigosarri Member

    Hello, guys I have a problem after updating to the latest version of ISPConfig. Emails configured in Outlooks are no longer able to use TLS encryption and port 587.

    Only when configured on port 25 and with STARTTLS encryption do they work.

    However, I have many users with old Outlooks (they have no option to use STARTTLS, only SSL/TLS).

    Do I need to do some configuration add, so that all emails that were configured with TLS encryption and port 587 will work again with SMTP?

    The errors shown in Outlook are:

    None of the authentication methods supported by this client are supported by your server
    Try changing the encryption method. Contact your email server administrator or ISP for further assistance

    Thanks for any help guys
     
    Last edited: Oct 19, 2020
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Could it be that they use a old version of Outlook that does not support TLSv1 and TLSv1.1, and you have those (or the ciphers that are needed) disabled?
     
  3. rodrigosarri

    rodrigosarri Member

    I just upgraded to ISPConfig version 3.2 and all accounts set up in Outlook with port 587 and SSL/TLS encryption stopped working for sending. Receiving continues smoothly.

    When configuring a new account with SSL/TLS and port 587 in Outlook, Outlook rejects it warning that the server does not accept this encryption.
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Yes, I understand your question. You didn't answer mine though, so I can't help you further with just the same question.
     
  5. rodrigosarri

    rodrigosarri Member

    Code:
    /etc/postfix/master.cf
    
    #
    # Postfix master process configuration file.  For details on the format
    # of the file, see the master(5) manual page (command: "man 5 master" or
    # on-line: http://www.postfix.org/master.5.html).
    #
    # Do not forget to execute "postfix reload" after editing this file.
    #
    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       -       -       -       smtpd
    #smtp      inet  n       -       -       -       1       postscreen
    #smtpd     pass  -       -       -       -       -       smtpd
    #dnsblog   unix  -       -       -       -       0       dnsblog
    #tlsproxy  unix  -       -       -       -       0       tlsproxy
    submission inet n       -       -       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    smtps     inet  n       -       -       -       -       smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    #628       inet  n       -       -       -       -       qmqpd
    pickup    unix  n       -       -       60      1       pickup
    cleanup   unix  n       -       -       -       0       cleanup
    qmgr      unix  n       -       n       300     1       qmgr
    #qmgr     unix  n       -       n       300     1       oqmgr
    tlsmgr    unix  -       -       -       1000?   1       tlsmgr
    rewrite   unix  -       -       -       -       -       trivial-rewrite
    bounce    unix  -       -       -       -       0       bounce
    defer     unix  -       -       -       -       0       bounce
    trace     unix  -       -       -       -       0       bounce
    verify    unix  -       -       -       -       1       verify
    flush     unix  n       -       -       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       -       -       -       smtp
    relay     unix  -       -       -       -       -       smtp
    #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq     unix  n       -       -       -       -       showq
    error     unix  -       -       -       -       -       error
    retry     unix  -       -       -       -       -       error
    discard   unix  -       -       -       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       -       -       -       lmtp
    anvil     unix  -       -       -       -       1       anvil
    scache    unix  -       -       -       -       1       scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent.  See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
    #
    # ====================================================================
    #
    # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
    #
    # Specify in cyrus.conf:
    #   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
    #
    # Specify in main.cf one or more of the following:
    #  mailbox_transport = lmtp:inet:localhost
    #  virtual_transport = lmtp:inet:localhost
    #
    # ====================================================================
    #
    # Cyrus 2.1.5 (Amos Gouaux)
    # Also specify in main.cf: cyrus_destination_recipient_limit=1
    #
    #cyrus     unix  -       n       n       -       -       pipe
    #  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
    #
    # ====================================================================
    # Old example of delivery via Cyrus.
    #
    #old-cyrus unix  -       n       n       -       -       pipe
    #  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
    #
    # ====================================================================
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    uucp      unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # Other external delivery methods.
    #
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix  - n n - 2 pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman   unix  -       n       n       -       -       pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
      ${nexthop} ${user}
    
    dovecot   unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
    
    
    amavis unix - - - - 2 smtp
            -o smtp_data_done_timeout=1200
            -o smtp_send_xforward_command=yes
        -o smtp_bind_address=
    
    
    127.0.0.1:10025 inet n - n - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o smtpd_end_of_data_restrictions=
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
            -o smtp_send_xforward_command=yes
            -o disable_dns_lookups=yes
    
    
    127.0.0.1:10027 inet n - n - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o smtpd_end_of_data_restrictions=
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
            -o smtp_send_xforward_command=yes
          -o milter_default_action=accept
          -o milter_macro_daemon_name=ORIGINATING
            -o disable_dns_lookups=yes
    
    
    
    
    
     
  6. rodrigosarri

    rodrigosarri Member

    I didn't disable anything
     
  7. rodrigosarri

    rodrigosarri Member

    I added the file /etc/postfix/master.cf which is currently on my server for your review
     
  8. rodrigosarri

    rodrigosarri Member

    Even using a recent Outlook, I can't connect using SSL/TLS on port 587.
     
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Can you share your main.cf aswell?
     
  10. rodrigosarri

    rodrigosarri Member

    Code:
    /etc/postfix/main.cf
    
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    myhostname = usve255032.serverprofi24.com
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    mydestination = usve255032.serverprofi24.com, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    myorigin = /etc/mailname
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
    virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
    sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_restriction_classes = greylisting
    greylisting = check_policy_service inet:127.0.0.1:10023
    smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status
    smtpd_tls_security_level = may
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions
    smtpd_helo_required = yes
    smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, ,reject_unknown_helo_hostname, permit
    smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, reject_rbl_client zen.spamhaus.org, permit_sasl_authenticated, reject_unauth_pipelining , permit
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = lmtp:unix:private/dovecot-lmtp
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    smtp_tls_security_level = may
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtpd_tls_exclude_ciphers = RC4, aNULL
    smtp_tls_exclude_ciphers = RC4, aNULL
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = lmtp:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0
    smtpd_etrn_restrictions = permit_mynetworks, reject
    smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
    smtpd_tls_mandatory_ciphers = medium
    tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    tls_preempt_cipherlist = no
    address_verify_negative_refresh_time = 60s
    enable_original_recipient = yes
    smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
    address_verify_sender_ttl = 15686s
    
     
  11. Steini86

    Steini86 Active Member

  12. rodrigosarri

    rodrigosarri Member

    I ran a tail -f /var/log/mail.log

    Code:
    Oct 19 22:09:36 usve255032 postfix/smtpd[28914]: warning: unknown[212.70.149.53]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Oct 19 22:09:36 usve255032 postfix/smtpd[28914]: disconnect from unknown[212.70.149.53]
    Oct 19 22:09:41 usve255032 postfix/smtpd[29728]: connect from unknown[212.70.149.53]
    Oct 19 22:09:46 usve255032 dovecot: imap([email protected]): Disconnected: Logged out in=1377 out=50817
    Oct 19 22:09:50 usve255032 postfix/smtps/smtpd[27237]: warning: hostname ip-178-112-68-164.static.contabo.net does not resolve to address 164.68.112.178: Name or service not known
    Oct 19 22:09:50 usve255032 postfix/smtps/smtpd[27237]: connect from unknown[164.68.112.178]
    Oct 19 22:09:50 usve255032 postfix/smtpd[28094]: connect from unknown[212.70.149.53]
    Oct 19 22:09:51 usve255032 postfix/smtpd[28914]: connect from reverso.205.webpic.com.br[186.225.134.205]
    Oct 19 22:09:52 usve255032 postfix/smtps/smtpd[27237]: SSL_accept error from unknown[164.68.112.178]: -1
    Oct 19 22:09:52 usve255032 postfix/smtps/smtpd[27237]: warning: TLS library problem: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1427:
    Oct 19 22:09:52 usve255032 postfix/smtps/smtpd[27237]: lost connection after CONNECT from unknown[164.68.112.178]
    Oct 19 22:09:52 usve255032 postfix/smtps/smtpd[27237]: disconnect from unknown[164.68.112.178]
    Oct 19 22:09:52 usve255032 postfix/smtpd[28914]: warning: 205.134.225.186.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=205.134.225.186.zen.spamhaus.org type=A: Host not found, try again
    
    I noticed this warning warning: TLS library problem: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1427
     
  13. Steini86

    Steini86 Active Member

    Yes, as I said: Your server and your client do not find a common cipher ("no shared cipher"). So your client does not support the ciphers, that your server offers (in "tls_medium_cipherlist" parameter).
    Your clients are just too old. If you want to support these outdated clients, you have to offer more (vulnurable) ciphers. TLS1.0 and TLS1.1 are end of life since 2018: https://endoflife.software/protocols/encryption/tls
    TLS1.2 should be supported since 2008. If your clients are older you can make an exception for them. If not, deactivate TLS1.0 and 1.1 and update the clients. Use my link above to get the right settings: https://ssl-config.mozilla.org/#ser...fig=intermediate&openssl=1.1.1d&guideline=5.6

    To enable TLS1.2 for end-of-life outlook on end-of-life windows see here: https://docs.microsoft.com/en-us/ar...bling-tls-1-1-and-1-2-in-outlook-on-windows-7
     
    Last edited: Oct 20, 2020
  14. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    What is a recent outlook? 2010? 2016?
     
  15. rodrigosarri

    rodrigosarri Member

    Thanks a lot for the help. How can I create an exception for my clients or update them?
     
  16. rodrigosarri

    rodrigosarri Member

    I think it's 2016 (I use Office 365, which comes with the latest version) and I forgot to thank you for the help you have given me in answering my questions. Thank you very much.
     
  17. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    If they use 2016, I think the ciphers you currently have should work. Could it be that they logged in with a incorrect password and are banned by Fail2Ban? (shot in the dark btw)

    No problem :)
     
  18. Steini86

    Steini86 Active Member

    You have to add a cipher that they understand to the cipherlist. See my links before for old/medium/modern cipherlists.
    See Microsoft help for Office 365 updates: https://docs.microsoft.com/en-us/mi...eprecation-for-office-365?view=o365-worldwide
    An updated office should be able to use TLS1.2 (except if you run it at Windows7)
     
  19. rodrigosarri

    rodrigosarri Member

    There are almost 30 emails with problems, I think that was not the case.
     
  20. rodrigosarri

    rodrigosarri Member

    Thank you very much for your help, I did some tests this morning with some customers, but even using a newer office (Outlook 365) I still can't connect using the setting: port 587, TLS encryption, only STARTTLS encryption is accepted and whenever Outlook is opened, a warning that the security certificate cannot be confirmed.

    I performed a check on this site and the result is that the Cert certificate is missing, do you know how I can do that?
    https://www.checktls.com/TestReceiver?LEVEL=DETAIL&EMAIL=magistrisdobrasil.com.br

    upload_2020-10-20_10-42-12.png

    upload_2020-10-20_10-45-5.png
     

Share This Page