(Solved) Cannot send email

Discussion in 'ISPConfig 3 Priority Support' started by ganewbie, Oct 7, 2021.

  1. ganewbie

    ganewbie Member HowtoForge Supporter

    The server is apache (Debian Buster) ISPConfig 3.1.15p2
    I can send and receive emails from any mail clients such as outlook or thunderbird.
    Yet cannot send emails from a Debian Jessy server.
    Here is the error I see on my mail server.
    Code:
    Oct  6 19:04:41 srv2 postfix/smtps/smtpd[25996]: connect from unknown[x.y.z.W]
    Oct  6 19:04:41 srv2 postfix/smtps/smtpd[25996]: SSL_accept error from unknown[x.y.z.W]: -1
    Oct  6 19:04:41 srv2 postfix/smtps/smtpd[25996]: warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1544:SSL alert number 45:
    Oct  6 19:04:41 srv2 postfix/smtps/smtpd[25996]: lost connection after CONNECT from unknown[x.y.z.W]
    Oct  6 19:04:41 srv2 postfix/smtps/smtpd[25996]: disconnect from unknown[x.y.z.W] commands=0/0
    where is the problem? Is it my mail server or my Linux server that sends thru my mail server?
    Thanks,
     
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I'd guess it's at the client at this point, but could probably be either. If you provide your actual server name, someone could examine what is seen there.

    If this is a recent issue, and you use a letsencrypt certificate, it could be the recently expired root certificate at issue.
     
  3. ganewbie

    ganewbie Member HowtoForge Supporter

    @Jesse Norell tanks for the quick response.
    Yes, it is a recent issue like a week ago.
    The server and certificate are valid. I think you are right it could be
    DST Root CA X3, expiration.
    Is there a solution to this?
     
    Last edited: Oct 7, 2021
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Update openssl/gnutls/certificate stores in the client (and server, but it's a client problem), try removing that root certificate from both the client and server, check into enabling 'trust first'in openssl on the client, and after that, start troubleshooting the specific ssl/tls client.

    You know, I bet if you forced renewal of your server certificate it would get one without the expired X3 in the certificate chain and resolve everything. I haven't seen that suggested as a solution offhand, but sure seems like that should do it.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

  6. ganewbie

    ganewbie Member HowtoForge Supporter

  7. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    On further thought, no, this wouldn't be a solution, as it is the intermediate certificate which is signed by the expired X3, not the server certificate, so as long as letsencrypt continues to use that intermediate cert, the issue will remain.
     
  8. ganewbie

    ganewbie Member HowtoForge Supporter

    @Jesse Norell
    Do you mean the problem will come back upon renewal?
     
  9. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    No, just that forcing renewal would not be a solution.
     
    ganewbie likes this.

Share This Page