After upgrading to ISPConfig 3.2, emails with TLS configuration stopped sending email

Discussion in 'General' started by rodrigosarri, Oct 19, 2020.

  1. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Port 587 is for STARTTLS, port 465 is for TLS.The warning you see is indeed because there is a self signed certificate. You can replace it with a Let's Encrypt certificate following this tutorial: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/

    Though I did it in a different way to have a different cert for mail then for the panel:
    - Add website with the hostname of your mailserver to ISPConfig. Check the Let's Encrypt checkbox to acquire a Let's Encrypt certificate.
    - Add eventual other names for your server (e.g. imap.example.com, smtp.example.com) as aliasdomains of the main domain.
    - Verify that the certificate is issued for the site
    - Log in to your server
    - Run this (replace sitename-in-ispconfig.com with the hostname you used):
    Code:
    cd /etc/postfix/
    mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
    mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
    ln -s /etc/letsencrypt/live/sitename-in-ispconfig.com/fullchain.pem smtpd.cert
    ln -s /etc/letsencrypt/live/sitename-in-ispconfig.com/privkey.pem smtpd.key
    systemctl restart postfix
    systemctl restart dovecot
    Then open a new script:
    Code:
    nano /etc/init.d/le_mail_pem.sh
    Paste this in that file (replace sitename-in-ispconfig.com with the hostname you used):
    Code:
    #!/bin/sh
    ### BEGIN INIT INFO
    # Provides: LE MAILSERVER CERT AUTO UPDATER
    # Required-Start: $local_fs $network
    # Required-Stop: $local_fs
    # Default-Start: 2 3 4 5
    # Default-Stop: 0 1 6
    # Short-Description: LE MAILSERVER CERT AUTO UPDATER
    # Description: Update mail server cert automatically when a new cert is issued.
    ### END INIT INFO
    cd /etc/postfix/
    mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
    mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
    ln -s /etc/letsencrypt/live/sitename-in-ispconfig.com/fullchain.pem smtpd.cert
    ln -s /etc/letsencrypt/live/sitename-in-ispconfig.com/privkey.pem smtpd.key
    systemctl restart postfix
    systemctl restart dovecot
    Then install incron:
    Code:
    apt install incron
    Make the script executable and allow root to use incron:
    Code:
    chmod +x /etc/init.d/le_mail_pem.sh
    echo "root" >> /etc/incron.allow
    Open incrontab:
    Code:
    incrontab -e
    Add this:
    Code:
    /etc/letsencrypt/archive/sitename-in-ispconfig.com/ IN_MODIFY /etc/init.d/le_mail_pem.sh
    Credits to @ahrasis for the original code and tutorial.

    I once had a problem with this, because the main hostname was one of the aliasdomains. You can check this by viewing the cert in your browser or listing the content of /etc/letsencrypt/live to see which of the (alias)domains has a cert there.
     
    Last edited: Oct 26, 2020
    Taleman likes this.
  2. marceloleaes

    marceloleaes New Member

    I had the same problem here after updating.
    Windows 7 machines, even updated with Office 2013.

    Solution was to apply the registry fix that I will leave the URL
    It forces the use of TLS 1.2 and leaves 1.1 as a fallback and disables 1.0 instead.

    Download: https://eth1.com.br/softwares/?dir=Windows/TLS
     
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    This issue should be fixed in 3.2.1.
     
  4. Robin.k

    Robin.k Member

    Code:
    a self signed certificate. You can replace it with a Let's Encrypt certificate
    My setup is Debian 10 with ISPconfig 3.2
    I tried to replace the self signed certificate with a Let's Encrypt certificate, following your instructions, but I have some problems.
    When I do "chmod +x /etc/init.d/le_ispc_pem.sh" terminal says "kan geen toegang krijgen tot '/etc/init.d/le_ispc_pem.sh': Bestand of map bestaat niet" When i look in init.d/ i only can find "le_mail_pem.sh" . Should I use this?
    Thanks
     
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Yes, my bad. I changed the name but forgot changing the chmod command. Will edit my command. You're lucky I'm dutch btw, most of the other users don't understand it ;)
     
  6. Robin.k

    Robin.k Member

    Ok thanks, I saw that you were from Amsterdam, so I was lucky you understand the Dutch language:)
    I tried this but now my mail is not working anymore. When I check with ssl-tools.net it says "
    STARTTLS unsupported" Do I have to restart the server?
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    No, that shouldn't be necessary. Take a look at your logs (/var/log/mail.log and /var/log/syslog) to see if there is a error on startup of postfix / dovecot.
     
  8. Robin.k

    Robin.k Member

    Hereby the output from mail.log after startup postfix

    Code:
    warning: TLS library problem: error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:288:fopen('/etc/postfix/smtpd.cert','r'):
    
    warning: cannot get RSA certificate from file "/etc/postfix/smtpd.cert": disabling TLS support
    
    warning: TLS library problem: error:20074002:BIO routines:file_ctrl:system lib:../crypto/bio/bss_file.c:290:
    
    warning: TLS library problem: error:140DC002:SSL routines:use_certificate_chain_file:system lib:../ssl/ssl_rsa.c:615:
     
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    The certificate file is missing in /etc/postfix, you can check this with
    Code:
    ls /etc/postfix
    Try running this again:
    Code:
    cd /etc/postfix/
    mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
    mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
    ln -s /etc/letsencrypt/live/sitename-in-ispconfig.com/fullchain.pem smtpd.cert
    ln -s /etc/letsencrypt/live/sitename-in-ispconfig.com/privkey.pem smtpd.key
    systemctl restart postfix
    systemctl restart dovecot
    Replace sitename-in-ispconfig.com with your sitename!
     
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I am sorry but ISPConfig 3.2 uses a different approach so I think it is best to undo and remove LE4ISPC before continuing using this version.

    Run ISPConfig instructions to update to 3.2 and choose to create SSL certs during that process.

    If problems are still thereafter, do read and try the faq, https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
     
  11. Robin.k

    Robin.k Member

    Hi my setup is now a fresh Debian 10 with fresh install ISPConfig 3.2 (not a update to 3.2) I tried the code again and it is working now. Probably I was forgotten Replace sitename-in-ispconfig.com with your sitename! So there was a faulty link.

    See new thread
    (https://www.howtoforge.com/community/threads/sll-certificate-for-email.85471/)
    Now the next question, I have 3 different domain's and on the site that deliver the domains i setup for each domain the DNS records. The lets encrypt certificate that is created is only for 1 email domain. Is it possible to do dis for all the 3 different domain names?
    Now is 1 email with the correct hostname LE, and the other 2 emails with the incorrect hostname LE
     
    Last edited: Oct 27, 2020
  12. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    For a next question, you should create a new thread when the new question does not deal with the problem in this thread.
     
  13. Robin.k

    Robin.k Member

    ok i added a new thread:)
     
  14. ralfba

    ralfba New Member

    HI ...
    sorry - i am bit confused now with this topic.
    is there any need to do something within the control-panel with Version 3.2 and above to ensure that all ispconfig-related-services utilize let's encrypt certificates, or is this now done within the upgrade routine?
    if i need to create anything like sites or domains within the control panel, where is this now described?
    thx for your feedback |> r
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    This is done by the upgrade routine, just choose to create a new SSL cert when the updater asks.
     
  16. chrmrtns

    chrmrtns New Member

    If the error still exists, it may be helpful to replace "dane" in postfix and set to "may".

    Something like:
    Code:
    sed -i -e 's/smtp_tls_security_level = dane/smtp_tls_security_level = may/g' /etc/postfix/main.cf
    Make a backup first of your main.cf and restart Postfix after editing the file.
     
    Last edited: Apr 7, 2022
  17. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You write code by using [ code ] --> code here <-- [ /code ] tag, obviously with no space in the brackets.
     
    chrmrtns likes this.
  18. chrmrtns

    chrmrtns New Member

    Thanks, that helped. Really appreciated.
     
  19. original_drew

    original_drew New Member

    Hi Chrmrtns,
    Could you elaborate a little on what this does and which error it fixes exactly please?
     
  20. chrmrtns

    chrmrtns New Member


    Dane is an extra security using dnssec, and not all servers support it.

    If not configured correctly messages in/out will not be delivered because smtp_tls_security_check fails.

    If you replace to 'may' the verification is optional and mails would be sent and delivered.
     
    original_drew and ahrasis like this.

Share This Page