Hi! Since this morning, no imap-login is possible. It seems that tonight a letsencrypt-renew was done. Thunderbird is not able to login the accounts - it stalls and nothing is happen. We have a maindomain linke "main.at" and a subdomain like "customermail.main.at" (https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/), customermail worked flawlessly for month. In Syslog are the following lines Code: Dec 14 06:12:21 tesoro2 systemd[1]: Starting Postfix Mail Transport Agent (instance -)... Dec 14 06:12:22 tesoro2 postfix/postfix-script[43232]: warning: symlink leaves directory: /etc/postfix/./smtpd.cert-20221214051002.bak Dec 14 06:12:22 tesoro2 postfix/postfix-script[43235]: warning: symlink leaves directory: /etc/postfix/./smtpd.key-220618213526.bak Dec 14 06:12:22 tesoro2 postfix/postfix-script[43238]: warning: symlink leaves directory: /etc/postfix/./smtpd.cert Dec 14 06:12:22 tesoro2 postfix/postfix-script[43241]: warning: symlink leaves directory: /etc/postfix/./smtpd.key-20221214051002.bak Dec 14 06:12:22 tesoro2 postfix/postfix-script[43244]: warning: symlink leaves directory: /etc/postfix/./smtpd.cert-220618213522.bak Dec 14 06:12:22 tesoro2 postfix/postfix-script[43247]: warning: symlink leaves directory: /etc/postfix/./smtpd.key Dec 14 06:12:46 tesoro2 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=80.75.246.35, lip=136.243.47.106, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<YMZ/ycLvluJQS/Yj> Dec 14 06:12:46 tesoro2 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=80.75.246.35, lip=136.243.47.106, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<ket/ycLvleJQS/Yj> Dec 14 06:12:46 tesoro2 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=80.75.246.35, lip=136.243.47.106, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<lfB/ycLvl+JQS/Yj> Dec 14 06:14:30 tesoro2 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=2a02:8388:a080:c100:a8f3:7893:c741:646b, lip=2a01:4f8:212:f65::2, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<r+1flMPvs+sqAoOIoIDBAKjzeJPHQWRr> and maybe a helpful excerpt of doing a connection on the comanndline Code: #openssl s_client -starttls smtp -showcerts -connect customermail.main.at:25 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = tesoro2.main.at verify return:1 --- Certificate chain 0 s:CN = tesoro2.main.at i:C = US, O = Let's Encrypt, CN = R3 -----BEGIN CERTIFICATE----- MIIFNTCCBB2gAwIBAgISA7r7Ntvr6fLeFnv0+6HpiXiWMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMjEyMTMyMjM3NTZaFw0yMzAzMTMyMjM3NTVaMCMxITAfBgNVBAMT GHRlc29ybzIucHJvZHVjdHM0bW9yZS5hdDCCASIwDQYJKoZIhvcNAQEBBQADggEP -+--SNIP-+-- WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 -----END CERTIFICATE----- --- Server certificate subject=CN = tesoro2.main.at issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 4886 bytes and written 434 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- 250 CHUNKING --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: CA9B54BA472867B8A23D7671EF84D68DAA22B87B1B9BA91C0107C6C389923A05 Session-ID-ctx: Resumption PSK: 948CEEDF26271B177BB47359D1566F9DE5258930CA27EAD9306E7E36647046637B91E60B66F9003D540A33C158630787 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 04 ce ef 71 6b f4 19 38-18 a8 a4 ef e9 0d 9f 8f ...qk..8........ 0010 - 0a 8c 6e 25 fc be f0 6c-32 8d c3 60 3b 68 72 33 ..n%...l2..`;hr3 0020 - 40 09 9e 66 c4 1f ee fc-15 e2 eb 46 54 1b e5 48 @..f.......FT..H 0030 - 7a e2 df c8 1e 84 af 41-17 fc f2 f2 34 b3 c8 49 z......A....4..I 0040 - a3 d6 fd c1 cc b0 c3 61-40 ca 79 04 ca b7 36 8f [email protected]. 0050 - b2 c9 d3 70 8e 8c c0 f3-51 48 b5 5b 58 0b 96 08 ...p....QH.[X... 0060 - 85 2f e1 75 06 c8 27 47-27 f6 f3 ba 62 c9 5d 2b ./.u..'G'...b.]+ 0070 - 89 ee a6 fb 2f df ab bf-c2 4c 9b 77 80 a0 7f da ..../....L.w.... 0080 - ce 5c 5e 18 8f 6c be 09-43 88 59 b1 3d 6f 67 55 .\^..l..C.Y.=ogU 0090 - ff f6 bd d7 96 13 af 89-7e b7 62 99 be c4 8e 99 ........~.b..... 00a0 - 36 e6 ba 27 07 95 6f 0b-f5 e4 78 2b 78 30 ad 45 6..'..o...x+x0.E 00b0 - bb 65 ca 87 4e e0 12 17-2f a4 02 cf 23 9b bd 97 .e..N.../...#... 00c0 - 38 10 4f 37 4a f7 fb 35-f9 5c a6 86 12 53 7f 19 8.O7J..5.\...S.. Start Time: 1670996697 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK In this connection, there is nothing about customermail.main.at - is this ok? What I have done: ispconfig_update.sh --force and reconfiguring the services + recreate is-confit-ssl-certificates. Renewed the certificate for our domain, checked the domain on slabs.com "main" and "customermail" got a green check. Even checked on sslshopper.com/ssl-checker.html - all green. Using checktls.com says: Code: Connection converted to SSL SSLVersion in use: TLSv1_3 Cipher in use: TLS_AES_256_GCM_SHA384 Perfect Forward Secrecy: yes Session Algorithm in use: Curve X25519 DHE(253 bits) Certificate #1 of 4 (sent by MX): Cert VALIDATED: ok Cert Hostname DOES NOT VERIFY (customermail.main.at != tesoro2.main.at | DNS:tesoro2.main.at) So email is encrypted but the host is not verified Not Valid Before: Dec 13 22:37:56 2022 GMT Not Valid After: Mar 13 22:37:55 2023 GMT subject: /CN=tesoro2.main.at issuer: /C=US/O=Let's Encrypt/CN=R3 Any ideas what happened and the most important thing: any hints how I fix that? Thank you!
Hmmmm .... Found this hint, but we have the problem not only on Apple devices. We can't retrieve 2210 on Ubuntu either. https://www.hagenfragen.de/linux-ti...er-46-mit-letsencrypt-unter-ubuntu-20-04.html How could the hint be implemented? There is no link to a fullchain in /etc/postfix.
Yes - there is a (temporary?) solution: the symbolic links in /etc/postfix where linked to mtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key instead of smtpd.key -> /root/.acme.sh/main.at/main.at.key smtpd.cert -> /root/.acme.sh/main.at/fullchain.cer I will monitor these in the next weeks, if they are moving again.
Check this Thread: https://forum.howtoforge.com/threads/ispconfig-certificate-is-expired.89715/#post-440520