no imap-login possible, SSL-issue / SOLVED

Discussion in 'ISPConfig 3 Priority Support' started by muelli75, Dec 14, 2022.

  1. muelli75

    muelli75 Member

    Hi!

    Since this morning, no imap-login is possible. It seems that tonight a letsencrypt-renew was done. Thunderbird is not able to login the accounts - it stalls and nothing is happen.

    We have a maindomain linke "main.at" and a subdomain like "customermail.main.at" (https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/), customermail worked flawlessly for month.

    In Syslog are the following lines
    Code:
    Dec 14 06:12:21 tesoro2 systemd[1]: Starting Postfix Mail Transport Agent (instance -)...
    Dec 14 06:12:22 tesoro2 postfix/postfix-script[43232]: warning: symlink leaves directory: /etc/postfix/./smtpd.cert-20221214051002.bak
    Dec 14 06:12:22 tesoro2 postfix/postfix-script[43235]: warning: symlink leaves directory: /etc/postfix/./smtpd.key-220618213526.bak
    Dec 14 06:12:22 tesoro2 postfix/postfix-script[43238]: warning: symlink leaves directory: /etc/postfix/./smtpd.cert
    Dec 14 06:12:22 tesoro2 postfix/postfix-script[43241]: warning: symlink leaves directory: /etc/postfix/./smtpd.key-20221214051002.bak
    Dec 14 06:12:22 tesoro2 postfix/postfix-script[43244]: warning: symlink leaves directory: /etc/postfix/./smtpd.cert-220618213522.bak
    Dec 14 06:12:22 tesoro2 postfix/postfix-script[43247]: warning: symlink leaves directory: /etc/postfix/./smtpd.key
    
    Dec 14 06:12:46 tesoro2 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=80.75.246.35, lip=136.243.47.106, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<YMZ/ycLvluJQS/Yj>
    Dec 14 06:12:46 tesoro2 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=80.75.246.35, lip=136.243.47.106, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<ket/ycLvleJQS/Yj>
    Dec 14 06:12:46 tesoro2 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=80.75.246.35, lip=136.243.47.106, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<lfB/ycLvl+JQS/Yj>
    
    Dec 14 06:14:30 tesoro2 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=2a02:8388:a080:c100:a8f3:7893:c741:646b, lip=2a01:4f8:212:f65::2, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<r+1flMPvs+sqAoOIoIDBAKjzeJPHQWRr>
    
    and maybe a helpful excerpt of doing a connection on the comanndline
    Code:
    #openssl s_client -starttls smtp -showcerts -connect customermail.main.at:25
    CONNECTED(00000003)
    depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = R3
    verify return:1
    depth=0 CN = tesoro2.main.at
    verify return:1
    ---
    Certificate chain
     0 s:CN = tesoro2.main.at
       i:C = US, O = Let's Encrypt, CN = R3
    -----BEGIN CERTIFICATE-----
    MIIFNTCCBB2gAwIBAgISA7r7Ntvr6fLeFnv0+6HpiXiWMA0GCSqGSIb3DQEBCwUA
    MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
    EwJSMzAeFw0yMjEyMTMyMjM3NTZaFw0yMzAzMTMyMjM3NTVaMCMxITAfBgNVBAMT
    GHRlc29ybzIucHJvZHVjdHM0bW9yZS5hdDCCASIwDQYJKoZIhvcNAQEBBQADggEP
    -+--SNIP-+--
    WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
    he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
    Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=CN = tesoro2.main.at
    
    issuer=C = US, O = Let's Encrypt, CN = R3
    
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    Server Temp Key: X25519, 253 bits
    ---
    SSL handshake has read 4886 bytes and written 434 bytes
    Verification: OK
    ---
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)
    ---
    250 CHUNKING
    ---
    Post-Handshake New Session Ticket arrived:
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS_AES_256_GCM_SHA384
        Session-ID: CA9B54BA472867B8A23D7671EF84D68DAA22B87B1B9BA91C0107C6C389923A05
        Session-ID-ctx:
        Resumption PSK: 948CEEDF26271B177BB47359D1566F9DE5258930CA27EAD9306E7E36647046637B91E60B66F9003D540A33C158630787
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 7200 (seconds)
        TLS session ticket:
        0000 - 04 ce ef 71 6b f4 19 38-18 a8 a4 ef e9 0d 9f 8f   ...qk..8........
        0010 - 0a 8c 6e 25 fc be f0 6c-32 8d c3 60 3b 68 72 33   ..n%...l2..`;hr3
        0020 - 40 09 9e 66 c4 1f ee fc-15 e2 eb 46 54 1b e5 48   @..f.......FT..H
        0030 - 7a e2 df c8 1e 84 af 41-17 fc f2 f2 34 b3 c8 49   z......A....4..I
        0040 - a3 d6 fd c1 cc b0 c3 61-40 ca 79 04 ca b7 36 8f   [email protected].
        0050 - b2 c9 d3 70 8e 8c c0 f3-51 48 b5 5b 58 0b 96 08   ...p....QH.[X...
        0060 - 85 2f e1 75 06 c8 27 47-27 f6 f3 ba 62 c9 5d 2b   ./.u..'G'...b.]+
        0070 - 89 ee a6 fb 2f df ab bf-c2 4c 9b 77 80 a0 7f da   ..../....L.w....
        0080 - ce 5c 5e 18 8f 6c be 09-43 88 59 b1 3d 6f 67 55   .\^..l..C.Y.=ogU
        0090 - ff f6 bd d7 96 13 af 89-7e b7 62 99 be c4 8e 99   ........~.b.....
        00a0 - 36 e6 ba 27 07 95 6f 0b-f5 e4 78 2b 78 30 ad 45   6..'..o...x+x0.E
        00b0 - bb 65 ca 87 4e e0 12 17-2f a4 02 cf 23 9b bd 97   .e..N.../...#...
        00c0 - 38 10 4f 37 4a f7 fb 35-f9 5c a6 86 12 53 7f 19   8.O7J..5.\...S..
    
        Start Time: 1670996697
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
        Max Early Data: 0
    ---
    read R BLOCK
    
    In this connection, there is nothing about customermail.main.at - is this ok?

    What I have done:
    ispconfig_update.sh --force and reconfiguring the services + recreate is-confit-ssl-certificates.
    Renewed the certificate for our domain, checked the domain on slabs.com "main" and "customermail" got a green check. Even checked on sslshopper.com/ssl-checker.html - all green.

    Using checktls.com says:
    Code:
    Connection converted to SSL
    SSLVersion in use: TLSv1_3
    Cipher in use: TLS_AES_256_GCM_SHA384
    Perfect Forward Secrecy: yes
    Session Algorithm in use: Curve X25519 DHE(253 bits)
    Certificate #1 of 4 (sent by MX):
    Cert VALIDATED: ok
    Cert Hostname DOES NOT VERIFY (customermail.main.at != tesoro2.main.at | DNS:tesoro2.main.at)
    So email is encrypted but the host is not verified
    Not Valid Before: Dec 13 22:37:56 2022 GMT
    Not Valid After: Mar 13 22:37:55 2023 GMT
    subject: /CN=tesoro2.main.at
    issuer: /C=US/O=Let's Encrypt/CN=R3

    Any ideas what happened and the most important thing: any hints how I fix that?

    Thank you!
     
    Last edited: Dec 14, 2022
  2. muelli75

    muelli75 Member

  3. muelli75

    muelli75 Member

    Yes - there is a (temporary?) solution:

    the symbolic links in /etc/postfix where linked to
    mtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt
    smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key

    instead of

    smtpd.key -> /root/.acme.sh/main.at/main.at.key
    smtpd.cert -> /root/.acme.sh/main.at/fullchain.cer

    I will monitor these in the next weeks, if they are moving again.
     
  4. pyte

    pyte Well-Known Member HowtoForge Supporter

Share This Page