Postfix: Unable to receive email from older servers (no shared cipher due to ECC certificates)

TLDR:
Is it possible to configure a domain to have RSA certificates? ECC certificates cause problems for older mail servers, and we cannot receive email from them.



I have the same problem as this answer, serverfault.com/a/1176051
My postfix server uses ssl certificates from a website. Now that ispconfig issues ECC certificates, some older mail servers cannot connect and send us email, even though i have default config for my ciphers in postfix (smtpd_tls_mandatory_ciphers=medium and smtpd_tls_ciphers=medium)

for TLS v1.2 my server offers these ciphers, where no RSA ones are included:
TLSv1.2 (server order)
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
xc0af ECDHE-ECDSA-AES256-CCM8 ECDH 253 AESCCM8 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
xc0ad ECDHE-ECDSA-AES256-CCM ECDH 253 AESCCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM
xc05d ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDH 253 ARIAGCM 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
xc0ae ECDHE-ECDSA-AES128-CCM8 ECDH 253 AESCCM8 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
xc0ac ECDHE-ECDSA-AES128-CCM ECDH 253 AESCCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM
xc05c ECDHE-ECDSA-ARIA128-GCM-SHA256 ECDH 253 ARIAGCM 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
xc024 ECDHE-ECDSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
xc073 ECDHE-ECDSA-CAMELLIA256-SHA384 ECDH 253 Camellia 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
xc023 ECDHE-ECDSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
xc072 ECDHE-ECDSA-CAMELLIA128-SHA256 ECDH 253 Camellia 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
xc00a ECDHE-ECDSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
xc009 ECDHE-ECDSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

an older server that cannot send us email has:
TLSv1.2 (server order)
xc028 ECDHE-RSA-AES256-SHA384 ECDH 384 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
xc027 ECDHE-RSA-AES128-SHA256 ECDH 384 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
xc014 ECDHE-RSA-AES256-SHA ECDH 384 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
x05 RC4-SHA RSA RC4 128 TLS_RSA_WITH_RC4_128_SHA
x04 RC4-MD5 RSA RC4 128 TLS_RSA_WITH_RC4_128_MD5

(we have no ciphers in common)


when i changed ispconfig to issue RSA certificates the issue was fixed, and my server now offers these ciphers, so we can now receive email from them.

TLSv1.2 (server order)
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
xc061 ECDHE-ARIA256-GCM-SHA384 ECDH 253 ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
xc060 ECDHE-ARIA128-GCM-SHA256 ECDH 253 ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
xc028 ECDHE-RSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH 253 Camellia 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
xc027 ECDHE-RSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
xc076 ECDHE-RSA-CAMELLIA128-SHA256 ECDH 253 Camellia 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384
xc0a1 AES256-CCM8 RSA AESCCM8 256 TLS_RSA_WITH_AES_256_CCM_8
xc09d AES256-CCM RSA AESCCM 256 TLS_RSA_WITH_AES_256_CCM
xc051 ARIA256-GCM-SHA384 RSA ARIAGCM 256 TLS_RSA_WITH_ARIA_256_GCM_SHA384
x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256
xc0a0 AES128-CCM8 RSA AESCCM8 128 TLS_RSA_WITH_AES_128_CCM_8
xc09c AES128-CCM RSA AESCCM 128 TLS_RSA_WITH_AES_128_CCM
xc050 ARIA128-GCM-SHA256 RSA ARIAGCM 128 TLS_RSA_WITH_ARIA_128_GCM_SHA256
x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256
xc0 CAMELLIA256-SHA256 RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256
xba CAMELLIA128-SHA256 RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
x84 CAMELLIA256-SHA RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
x41 CAMELLIA128-SHA RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA


Is it possible to configure a domain to have RSA certificates and not have this setting for all websites of the server?

 

Thanks for your answer! That is a good pointer as my forum search wasn't good enough

 

My mailservers are using both RSA and ECC certificates in postfix as well as dovecot.
So there can be switched to RSA when a client or other server doesn't support ECC certificates.
My latest server even uses SNI in both postfix and dovecot.
And yes, it involves some manual work and reading postfix and dovecot docs prior to that.

By the way, also several websites are supporting both RSA and ECC on my apache and nginx servers.

 

Hi @remkoh ! Can you share any of your scripts or instructions of how you are doing it?

 

RSA and ECC system certificates to be used by postfix and dovecot:
(for acme.sh only!)

All my servers are set to use RSA certificates under System >> Server Configuration >> [server] >> Web >> SSL Settings
Not sure if that is of any influence on the system certificate. Mine are RSA by default.
I'm assuming yours are too and your server has a webserver installed that can be reached on port 80.

I have copied /usr/local/ispconfig/server/scripts/letsencrypt_renew_hook.sh to /usr/local/ispconfig/server/scripts/letsencrypt_ecc_renew_hook.sh and changed lines 10-11 and 39-43 in the new file:

Code:

...
if [ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_ecc_renew_hook.sh" ]; then
  . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_ecc_renew_hook.sh
...
    ipem=ispserver_ecc.pem
    icrt=ispserver_ecc.crt
    ikey=ispserver_ecc.key
    if ls ispserver_ecc.*.bak &>/dev/null; then
      rm ispserver_ecc.*.bak
...

Then I created a symlink to the new file:

Code:

ln -s /usr/local/ispconfig/server/scripts/letsencrypt_ecc_renew_hook.sh /usr/local/bin/letsencrypt_ecc_renew_hook.sh

This will be used by acme.sh later.

Now to create an ECC system certificate:

Code:

acme.sh --issue -d [servername]
-w "/usr/local/ispconfig/interface/acme" --always-force-new-domain-key
--keylength ec-256 --key-file "/usr/local/ispconfig/interface/ssl/ispserver_ecc.key" --fullchain-file "/usr/local/ispconfig/interface/ssl/ispserver_ecc.crt" --renew-hook "letsencrypt_ecc_renew_hook.sh"

If you don't have a webserver running than use standalone mode:

Code:

acme.sh --issue -d [servername] --standalone
--always-force-new-domain-key
--keylength ec-256 --key-file "/usr/local/ispconfig/interface/ssl/ispserver_ecc.key" --fullchain-file "/usr/local/ispconfig/interface/ssl/ispserver_ecc.crt" --renew-hook "letsencrypt_ecc_renew_hook.sh"

Though make sure you have opened port 80 in your firewall!

Create symlinks to the new certificate and key in the postfix folder:

Code:

ln -s /usr/local/ispconfig/interface/ssl/ispserver_ecc.crt /etc/postfix/smtpd_ecc.cert
ln -s /usr/local/ispconfig/interface/ssl/ispserver_ecc.key /etc/postfix/smtpd_ecc.key

Now to make postfix ECC compatible.
Open /etc/postfix/main.cf in an editor and find lines:

Code:

smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key

Add these lines below:

Code:

smtpd_tls_eccert_file = /etc/postfix/smtpd_ecc.cert
smtpd_tls_eckey_file = /etc/postfix/smtpd_ecc.key

And for dovecot ...
File /etc/dovecot/dovecot.conf should end with:

Code:

!include_try conf.d/99-ispconfig-custom-config.conf

If so, open /etc/dovecot/conf.d/99-ispconfig-custom-config.conf in an editor and add:

Code:

ssl_alt_cert = </etc/postfix/smtpd_ecc.cert
ssl_alt_key = </etc/postfix/smtpd_ecc.key

If not, add the lines in /etc/dovecot/dovecot.conf

Final step is to reload postfix and dovecot:

Code:

systemctl force-reload postfix dovecot

Now postfix and dovecot should support both RSA and ECC certificates, where ECC will be favored.
But clients that don't support ECC will still be able to use RSA instead.

 

If your current system certificate is ECC instead of RSA revoke it and delete its folder in /root/acme.sh/

Create a new RSA system certificate using this command:

Code:

acme.sh --issue -d [servername]
-w "/usr/local/ispconfig/interface/acme" --always-force-new-domain-key
--keylength 4096 --key-file "/usr/local/ispconfig/interface/ssl/ispserver.key" --fullchain-file "/usr/local/ispconfig/interface/ssl/ispserver.crt" --renew-hook "letsencrypt_renew_hook.sh"

 

For websites I let ispconfig create RSA certificates.
When I want an ECC certificate too I create that one by hand and add a directive in the website's config in ispconfig.

Apache:

Code:

acme.sh --issue -d [domainname] -d www.[domainname]
-w "/usr/local/ispconfig/interface/acme" --always-force-new-domain-key
--keylength ec-256 --key-file '/var/www/clients/[clientid]/[webid]/ssl/[domainname]_ecc-le.key' --fullchain-file '/var/www/clients/[clientid]/[webid]/ssl/[domainname]_ecc-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'

Nginx:
Change --reloadcmd 'systemctl force-reload apache2.service' to --reloadcmd 'systemctl force-reload nginx.service'

You can add extra -d's for alias domains.

And add this Apache directive:

Code:

SSLCertificateFile {DOCROOT_CLIENT}/../ssl/{DOMAIN}_ecc-le.crt
SSLCertificateKeyFile {DOCROOT_CLIENT}/../ssl/{DOMAIN}_ecc-le.key

or this Nginx directive:

Code:

ssl_certificate {DOCROOT_CLIENT}/../ssl/{DOMAIN}_ecc-le.crt;
ssl_certificate_key {DOCROOT_CLIENT}/../ssl/{DOMAIN}_ecc-le.key;

The same as with postfix and dovecot will apache and nginx too favor ECC over RSA.
But clients that don't support ECC will be able to use RSA instead.

 

Hi @remkoh , thanks for your very detailed answer! I really appreciate the effort you took.
This is very useful and when i find time i will try to implement it on my server.

 

@remkoh - Thank You very much!

I try it another way round and keep ECC as standard in ISPConfig.
But in particular I want on port 25 a greater compatibility.

Code:

cp -i -v /usr/local/ispconfig/server/scripts/letsencrypt_renew_hook.sh /usr/local/ispconfig/server/scripts/letsencrypt_rsa_renew_hook.sh
ln -s /usr/local/ispconfig/server/scripts/letsencrypt_rsa_renew_hook.sh /usr/local/bin/letsencrypt_rsa_renew_hook.sh

/usr/local/bin/letsencrypt_rsa_renew_hook.sh:

Code:

if [ -e "/usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_rsa_renew_hook.sh" ]; then
  . /usr/local/ispconfig/server/conf-custom/scripts/letsencrypt_rsa_renew_hook.sh
...
    ipem=ispserver_rsa.pem
    icrt=ispserver_rsa.crt
    ikey=ispserver_rsa.key
    if ls ispserver_rsa.*.bak &>/dev/null; then
      rm ispserver_rsa.*.bak
...

Issue RSA certificate and create symlinks :

Code:

acme.sh --issue -d <SERVERNAME> -w "/usr/local/ispconfig/interface/acme" --always-force-new-domain-key --keylength 4096 --key-file "/usr/local/ispconfig/interface/ssl/ispserver_rsa.key" --fullchain-file "/usr/local/ispconfig/interface/ssl/ispserver_rsa.crt" --renew-hook "letsencrypt_rsa_renew_hook.sh"

ln -s /usr/local/ispconfig/interface/ssl/ispserver_rsa.crt /etc/postfix/smtpd_rsa.cert
ln -s /usr/local/ispconfig/interface/ssl/ispserver_rsa.key /etc/postfix/smtpd_rsa.key
ln -s /usr/local/ispconfig/interface/ssl/dhparam4096.pem /etc/postfix/dhparam4096.pem

/usr/local/ispconfig/server/conf-custom/install/postfix_custom.conf.master:

Code:

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd_rsa.cert
smtpd_tls_key_file = /etc/postfix/smtpd_rsa.key
smtpd_tls_eccert_file = /etc/postfix/smtpd.cert
smtpd_tls_eckey_file = /etc/postfix/smtpd.key
smtpd_tls_dh1024_param_file = /etc/postfix/dhparam4096.pem

# While on port 25 cipher level is medium, set port 465 on higher level
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_mandatory_ciphers = high

ispconfig_update.sh --force

 

My setup has mail.clientdomain.com for each client email domain as aliases to servername.com which is a site in ispconfig. That website is their roundcube webmail, and its ssl cert is symbolic linked to postfix/dovecot. Ispconfig creates servername.com_ecc folder and config in .acme.sh. I think it would be neat if there was a way for a servername.com folder/config in .acme.sh to be created and in sync with the ecc one, so an rsa cert would be issued in parallel with the ecc and be used in postfix, keeping ispconfig and all websites with the ecc certs

 

Just use post #6 and post #8 and tweak them a bit.

Manually issue a RSA certificate with the same domainnames as your existing ECC certificate has.

Apache:

Code:

acme.sh --issue -d [servername] -d mail.[domainname1] -d mail.[domainname2]
-w "/usr/local/ispconfig/interface/acme" --always-force-new-domain-key
--keylength 4096 --key-file '/var/www/clients/[clientid]/[webid]/ssl/[domainname]_rsa-le.key' --fullchain-file '/var/www/clients/[clientid]/[webid]/ssl/[domainname]_rsa-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'

Nginx:
Change --reloadcmd 'systemctl force-reload apache2.service' to --reloadcmd 'systemctl force-reload nginx.service'[/QUOTE]

And add this Apache directive:

Code:

SSLCertificateFile {DOCROOT_CLIENT}/../ssl/{DOMAIN}_rsa-le.crt
SSLCertificateKeyFile {DOCROOT_CLIENT}/../ssl/{DOMAIN}_rsa-le.key

or this Nginx directive:

Code:

ssl_certificate {DOCROOT_CLIENT}/../ssl/{DOMAIN}_rsa-le.crt;
ssl_certificate_key {DOCROOT_CLIENT}/../ssl/{DOMAIN}_rsa-le.key;

Not sure though if the final order in both Apache's and Nginx's vhost file is of importance.

Create symlinks to the new certificate and key in the postfix folder:

Code:

ln -s /var/www/clients/[clientid]/[webid]/ssl/[domainname]_rsa-le.crt /etc/postfix/smtpd_rsa.cert
ln -s /var/www/clients/[clientid]/[webid]/ssl/[domainname]_rsa-le.key /etc/postfix/smtpd_rsa.key

Now to make postfix both RSA and ECC compatible.
Open /etc/postfix/main.cf in an editor and find lines:

Code:

smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key

change them to

Code:

smtpd_tls_cert_file = /etc/postfix/smtpd_rsa.cert
smtpd_tls_key_file = /etc/postfix/smtpd_rsa.key

and add these lines below:

Code:

smtpd_tls_eccert_file = /etc/postfix/smtpd.cert
smtpd_tls_eckey_file = /etc/postfix/smtpd.key

And for dovecot ...
Open /etc/dovecot/dovecot.conf in an editor and find line

Code:

ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key

change too

Code:

ssl_cert = </etc/postfix/smtpd_rsa.cert
ssl_key = </etc/postfix/smtpd_rsa.key

File /etc/dovecot/dovecot.conf should end with:

Code:

!include_try conf.d/99-ispconfig-custom-config.conf

If so, open /etc/dovecot/conf.d/99-ispconfig-custom-config.conf in an editor and add:

Code:

ssl_alt_cert = </etc/postfix/smtpd.cert
ssl_alt_key = </etc/postfix/smtpd.key

If not, add the lines in /etc/dovecot/dovecot.conf

Final step is to reload postfix and dovecot:

Code:

systemctl force-reload postfix dovecot

 

So You need the RSA Certificate and Ciphers only for email exchange on port 25?
That is exactly what I had described above with my adaption of the description of @remkoh.
And it is safe to ISPConfig Updates.

 

Internet.nl kicked me out of the Hall of Fame.

But Hardenizer.com still gives me a green light on every check.

I think their comments are quite reasonable:

 

I've looked at the configurations of other email providers on the market, especially those that advertise strong security.
E.g. Protonmail.ch, Mailbox.org and others.

Some have already disabled TLS 1.0 and 1.1, as well as weak ciphers - but they all use RSA certificates.
So, there still seems to be a pressing need for RSA.

But nevertheless ECC is the future.
So - @remkoh again thank You very much for Your dual solution!

I've found the reason why Internet.NL kicked me out of their "Hall of Fame":
For RSA certificate add in Postfix configuration the following parameter:

Code:

smtpd_tls_dh1024_param_file = /etc/postfix/dhparam4096.pem

=> Back in Hall

See Update of my full description in #Post 10

 

Absolutely true.

Though for the time being ispconfig should have stayed with rsa by default in my opinion.
Ecc should have been added as an extra option besides rsa. At least in website settings.
Something similar to the DNSSEC Algorithm choice we've got in dns zone settings would have been great, instead of the serverwide choice between the both in server settings that we've now got.

Almost all important components (postfix, dovecot, apache, nginx) support dual rsa and ecc. Only pure-ftpd doesn't I think (so should stay with rsa for compatibility reasons).
For postfix, dovecot, ispc panel etc. (everything that uses the system certificate) the install script should easily be able to issue both rsa and ecc certificates and implement both in the respective configs.

Acme.sh by design uses different folders for rsa and ecc. So no possible conflicts there.
Not sure about certbot's design, though it's easily achievable with the --cert-name parameter to separate rsa and ecc into different folders.

Ispconfig in whole than would have been far more widely compatible.
Equipt with the modern ecc and still fully compatible with rsa, which will continue to be around for years to come.