Dear Support, hello again I have a client, When send an EMAIL from [email protected] to [email protected] My postfix log says .. Oct 20 13:18:09 mail postfix/smtp[10977]: certificate verification failed for mail.hwg-media.de[87.138.236.33]:25: untrusted issuer /C=de/L=Neuwied/O=H.W.G Marteking & Werbung/CN=H.W.G Marteking & Werbung WebAdmin CA/emailAddress=[email protected] Oct 20 13:18:11 mail postfix/smtp[10977]: 467574196: to=<[email protected]>, relay=mail.hwg-media.de[87.138.236.33]:25, delay=3.4, delays=0.1/0/1.7/1.6, dsn=5.0.0, status=bounced (host mail.hwg-media.de[87.138.236.33] said: 550 Administrative prohibition (in reply to end of DATA command)) Here the mail is undeliverd and says host mail.hwg-media.de[87.138.236.33] said: 550 Administrative prohibition (in reply to end of DATA command) And in other case, the mail is sent Oct 20 15:22:56 mail postfix/smtp[32348]: certificate verification failed for mail.hwg-media.de[87.138.236.33]:25: untrusted issuer /C=de/L=Neuwied/O=H.W.G Marteking & Werbung/CN=H.W.G Marteking & Werbung WebAdmin CA/emailAddress=[email protected] Oct 20 15:22:58 mail postfix/smtp[32348]: 593B6412A: to=<[email protected]>, relay=mail.hwg-media.de[87.138.236.33]:25, delay=3.7, delays=0.06/0/2.4/1.2, dsn=2.0.0, status=sent (250 OK id=1e5Z8T-0005b8-0j) Note: In some cases the mail is Undelivered and in others is sent. I'll appeciate your cooperation Nestor Mazza
In case that you are using a self signed ssl certificate for the server hostname in postfix, try to replace it with a officially signed cert from LE: https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/
Hello, again I had red, https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/ I have to some differents situations, one of the is Postfix, at first is most important. I used on of my testing SERVERS, sofiha-isp.com.ar (my Distro is CentOS 6.9 using ISPConfig 3.1.7p1 updated from ISPConfig 3.0.5 sp8 At first, I did [Changing ISPConfig 3 Control Panel (Port 8080)], but not working www.sofiha-isp.com.ar:8080 uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name www.sofiha-isp.com.ar. error Code: SEC_ERROR_UNKNOWN_ISSUER At the end, I did [Using The Same Let's Encrypt SSL Certs For Other Major Services] a. For postfix: (my version in this server is 2.6.6) b. For dovecot: Here is my maillog, after send an E-Mail from [email protected] to my personal E-Mail [email protected]Oct 24 00:45:02 mail postfix/smtpd[8884]: warning: TLS library problem: 8884:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: Oct 24 00:45:02 mail postfix/smtpd[8884]: warning: TLS library problem: 8884:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:722: Oct 24 00:45:02 mail postfix/smtpd[8884]: connect from localhost[::1] Oct 24 00:45:02 mail postfix/smtpd[8884]: lost connection after CONNECT from localhost[::1] Oct 24 00:45:02 mail postfix/smtpd[8884]: disconnect from localhost[::1] Oct 24 00:45:29 mail postfix/smtpd[8884]: warning: 181.166.135.164: hostname 164-135-166-181.fibertel.com.ar verification failed: Name or service not known Oct 24 00:45:29 mail postfix/smtpd[8884]: connect from unknown[181.166.135.164] Oct 24 00:45:30 mail postfix/smtpd[8884]: NOQUEUE: filter: RCPT from unknown[181.166.135.164]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.1.8]> Oct 24 00:45:30 mail postfix/smtpd[8884]: E83F242CE: client=unknown[181.166.135.164], sasl_method=PLAIN, sasl_username=[email protected] Oct 24 00:45:31 mail postfix/smtpd[8884]: E83F242CE: filter: RCPT from unknown[181.166.135.164]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.1.8]> Oct 24 00:45:31 mail postfix/cleanup[8902]: E83F242CE: message-id=<20171024.004535.065.27@[192.168.1.8]> Oct 24 00:45:31 mail opendkim[842]: E83F242CE: DKIM-Signature field added (s=default, d=mail.sofiha-isp.com.ar) Oct 24 00:45:31 mail opendmarc[880]: implicit authentication service: mail.sofiha-isp.com.ar Oct 24 00:45:32 mail opendmarc[880]: E83F242CE: SPF(mailfrom): [email protected] fail ( my SPF record for this server is an TXT record with Value v=spf1 ip4:45.79.78.77 -all ) Oct 24 00:45:32 mail opendmarc[880]: E83F242CE: sofiha-isp.com.ar none Oct 24 00:45:32 mail postfix/qmgr[1014]: E83F242CE: from=<[email protected]>, size=928, nrcpt=2 (queue active) Oct 24 00:45:32 mail postfix/smtp[8904]: connect to 127.0.0.1[127.0.0.1]:10026: Connection refused Oct 24 00:45:32 mail postfix/smtp[8904]: E83F242CE: to=<[email protected]>, relay=none, delay=1.6, delays=1.6/0.02/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused) Oct 24 00:45:32 mail postfix/smtp[8904]: E83F242CE: to=<[email protected]>, relay=none, delay=1.6, delays=1.6/0.02/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused) Oct 24 00:45:32 mail postfix/smtpd[8884]: disconnect from unknown[181.166.135.164] Pelase, Please, I need solve this because my primary server needs send E-Mails to @ferconsult.de not working until solve certificate is not trusted because it is self-signed NOTE: I you wish, I will send my 'postconf -n' and my /etc/dovecot/dovecot.conf I'll apprecite your cooperation Thanks Nestor Mazza
Thanks, Nestor Mazza I have solved, doing the following [Using The Same Let's Encrypt SSL Certs For Other Major Services] /etc/postfix/main.cf ###smtpd_tls_cert_file = /etc/postfix/smtpd.cert ###smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_cert_file = /etc/letsencrypt/live/sofiha-isp.com.ar/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/sofiha-isp.com.ar/privkey.pem /etc/dovecot/dovecot.conf ###ssl_cert = </etc/postfix/smtpd.cert ###ssl_key = </etc/postfix/smtpd.key # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ###ssl = required ssl_cert = </etc/letsencrypt/live/sofiha-isp.com.ar/fullchain.pem ssl_key = </etc/letsencrypt/live/sofiha-isp.com.ar/privkey.pem ssl_protocols = !SSLv2 !SSLv3 /etc/amavisd/amavisd.conf ###$inet_socket_port = 10024; # listen on this local TCP port(s) $inet_socket_port = [10024,10026]; # listen on multiple TCP ports service amavisd restart service postfix restart service dovecot restart [Changing ISPConfig 3 Control Panel (Port 8080)] /etc/httpd/conf/sites-enabled/000-ispconfig.vhost ###SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt ###SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key SSLCertificateFile /etc/letsencrypt/live/sofiha-isp.com.ar/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/sofiha-isp.com.ar/privkey.pem service httpd restart but I don't know if I'm in the write way ? Please let me your opinion, Thanks Nestor Mazza
In the way you did it, the setup will break on the next update. Never change the paths of the ssl certs in the config files, the right and update-safe way is described in the thread that I linked in #4 by keeping the original paths and using symlinks.
Ok, but when I use the symlinks I receive in the maillog, the following ... (I have test in other test server, CentOS 7 with Oct 24 11:30:02 mail postfix/smtpd[19395]: warning: cannot get RSA certificate from file /etc/postfix/smtpd.cert: disabling TLS support Oct 24 11:30:02 mail postfix/smtpd[19395]: warning: TLS library problem: 19395:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/postfix/smtpd.cert','r'): Oct 24 11:30:02 mail postfix/smtpd[19395]: warning: TLS library problem: 19395:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: Oct 24 11:30:02 mail postfix/smtpd[19395]: warning: TLS library problem: 19395:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:701: Oct 24 11:30:02 mail postfix/smtpd[19395]: connect from localhost[::1] Oct 24 11:30:02 mail postfix/smtpd[19395]: warning: SASL: Connect to private/auth failed: Connection refused Oct 24 11:30:02 mail postfix/smtpd[19395]: fatal: no SASL authentication mechanisms Oct 24 11:30:03 mail postfix/master[19257]: warning: process /usr/libexec/postfix/smtpd pid 19395 exit status 1 Oct 24 11:30:03 mail postfix/master[19257]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling Thanks Nestor Mazza
cd /etc/postfix ls -la smtpd.* lrwxrwxrwx 1 root root 48 Oct 24 11:29 smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt -rw-r--r-- 1 root root 2293 Oct 21 19:41 smtpd.cert-171024112848.bak lrwxrwxrwx 1 root root 48 Oct 24 11:29 smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key -rw-r----- 1 root root 3272 Oct 21 19:41 smtpd.key-171024112900.bak cd /usr/local/ispconfig/interface/ssl/ ls -la total 32 drwxr-x--- 2 root root 4096 Oct 24 11:27 . drwxr-x--- 9 ispconfig ispconfig 4096 Oct 21 19:43 .. -rwxr-x--- 1 root root 45 Oct 21 19:43 empty.dir lrwxrwxrwx 1 root root 60 Oct 24 11:27 ispserver.crt -> /etc/letsencrypt/live/mail.genericodigital.com/fullchain.pem -rwxr-x--- 1 root root 2293 Oct 21 19:43 ispserver.crt-171024112645.bak -rwxr-x--- 1 root root 1838 Oct 21 19:43 ispserver.csr lrwxrwxrwx 1 root root 58 Oct 24 11:27 ispserver.key -> /etc/letsencrypt/live/mail.genericodigital.com/privkey.pem -rwxr-x--- 1 root root 3243 Oct 21 19:43 ispserver.key-171024112701.bak -rwxr-x--- 1 root root 3311 Oct 21 19:41 ispserver.key.secure -rw------- 1 root root 0 Oct 24 11:27 ispserver.pem I don't have an idea to solve it, I can't see where is wrong, but with symlink, not work for me. Thanks Nestor Mazza
Do you get the right cert content when you run: cat /etc/postfix/smtpd.cert Maybe postfix has a problem with the double symlink, you can try to point /etc/postfix/smtpd.cert to /etc/letsencrypt/live/mail.genericodigital.com/fullchain.pem directly. Another possible problem can be that you are using a different ssl cert. In your working config you use /etc/letsencrypt/live/sofiha-isp.com.ar/fullchain.pem as cert but in the other config you use /etc/letsencrypt/live/mail.genericodigital.com/fullchain.pem which is a different ssl cert for a different domain. The crrect cert for postfix is the one that is issued for the server hostname, the server hostname is not a domain that is used for a website on this system so sofiha-isp.com.ar is probably the wrong cert anyway.
is Ok, now i modified another SERVER because sofiha-isp.com.ar is working and genericodigital.com not yet I want solve it over genericodigital.com and then updated sofiha-isp.com.ar Thanks
cat /etc/postfix/smtpd.cert -----BEGIN CERTIFICATE----- MIIGbzCCBFegAwIBAgIJAIM/ivsd64S+MA0GCSqGSIb3DQEBCwUAMIHNMQswCQYD VQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRgwFgYDVQQHDA9DYXBpdGFs IEZlZGVyYWwxGDAWBgNVBAoMD1NvZmloYSBJbnRlcm5ldDEpMCcGA1UECwwgU29m aWhhIEludGVybmV0IC0gQ2xvdWQgU2VydmljZXMxITAfBgNVBAMMGG1haWwuZ2Vu ZXJpY29kaWdpdGFsLmNvbTElMCMGCSqGSIb3DQEJARYWZG9taW5pb3NAc29maWhh LmNvbS5hcjAeFw0xNzEwMjExOTQxMTBaFw0yNzEwMTkxOTQxMTBaMIHNMQswCQYD VQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRgwFgYDVQQHDA9DYXBpdGFs IEZlZGVyYWwxGDAWBgNVBAoMD1NvZmloYSBJbnRlcm5ldDEpMCcGA1UECwwgU29m aWhhIEludGVybmV0IC0gQ2xvdWQgU2VydmljZXMxITAfBgNVBAMMGG1haWwuZ2Vu ZXJpY29kaWdpdGFsLmNvbTElMCMGCSqGSIb3DQEJARYWZG9taW5pb3NAc29maWhh LmNvbS5hcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANTKEHRDPRDy jBaJ28f+LLkBfgFe6hmedsVIRkMt6RgeO5odkO4KUfkFH4+Gzf5zEBTh1FzXSPID pmZfQEAfIo2tZObr6oq9PPQ9f1Eng0V4Os6bWj0d+hlZwGZorCaFNrQ8rB//lFZa DGa36w5H/EtADeiy105jUAb6zoRG81fiHCpP8m9Q2/hZXSyw3/SXTEe9EHXfept0 /Yr2BHJHKAi2cQSUx+MSFheo9frr75yXAWdKOWjXaPhRWlUr8HfAjjVMGXcNedkA fRwxQ+phMzbPKUEKUiZl8SmMrrZ4BhNMzfmyUfvjwlL6hBbN4Yq0egxu2MUQ0xrN XgSnIVpDdwkXi/B9e+Ek0IpUVHrVeh/BuUp1IUiwnRz1vifzYxxh+uscsvLuePyr +x+OTnnaPJgjRv9b03QdrPM71p50eE2kEfrBy+rqI3OMNoSfN6koRcGqgNaJti6B d/eEUPY57v57TF8bdNxWxdkerSwjA9kFuoEssy5oQW2d+Ns9RsJzb/CrGAEQewMK 1t9vTJurNfRS8ioipCPQL6s5Te1LLwN9jqfpplgWnCzEqXCaP1WpAp6ahE/vvyHu GjLZA++61Ly1k4NNr3sJLrhSQiCUllkEigjGVQmKgIU8b3IjHIrT9SrCcLicNkEk zBgUU1jNt+4eTxuDMkYC4lZ2ANgNezyrAgMBAAGjUDBOMB0GA1UdDgQWBBSy3B5F hXfNWg4gAZ/LYAx2Oy98+DAfBgNVHSMEGDAWgBSy3B5FhXfNWg4gAZ/LYAx2Oy98 +DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCYTUCANr7PQtXp/lrb qoFF5VIzzc1LVHEnZRRRJ7gPwGMKt+oPzBGqKTzfKznJvSwHVPrv76q9pCyU2vuF 3VTvO4aYgC0BEaRdwcuFemflWTfnX7WF7U/fbszxO1T6kpUOr0DpIoeN7ZpAHQgP K5+dmuiaJRc6LOBjdsp0TYkgWNtbGFF8EG+zcQpVFVcb9ulHPeU1aOaqqAOfKVMd MF8+VIJDcf0bIGhNuD6NKdourkfP9ndxg9s6VdZhTt4yuNWeocdiSrjsnDZUVail bE+ZRs0d0dtL+cSqe4J0CDvon65yT+v7qSUjzBeCBRCv1661vtVuDKaZCfDelIUi gptzjNIC3d807ahS7RQwlkj/bK0E9122lE0e+KYoLQefhBMSAdJamqywFxffFl9F HIY16kQJzSmfL9a1jUm3PL0hIULKOPa4jAxJxxm+DnxQsXiJYdnZ189g82NHxZzG yBtQOEz/54eCrrvUHYYvxphTXSBomI5he43l7anE1NR1ICVu2EceDy6JdMe7g4vs VuRJkoXPf9l+0iTDqMjA/XemcLw49Jv1AbJ4psJMTRFuNjU6hyhblroWqYdquxzi UN+/bjCGzNp0+SM3a9B78ikfs+nWRr96XAW9TVQu9/bIHGDQZBHoXNH1DkooCq+d /qtsVEyiOIoLLVS04HxGz7e5hQ== -----END CERTIFICATE-----