Hallo, I'm running Debian Bullseye and ISPConfig 3.2.8p2. On my old server I had the same configuration. Since two days I'm running this on a new server. Most of the services are running fine, exept I can't fetch emails from my client via fetchmail and postfix. I copied the server certificates from /root/.acme.sh to my local client to the location mentioned in the postfix/main.cf. Unfortunately I'm getting the following error: OpenSSL reported: error:0A00010B:SSL routines::wrong version number mail.server.com: upgrade to TLS failed. fetchmail[363826]: Socket or TLS error on [email protected]@mail.server.com Oct 9 17:57:25 fetchmail[363826]: socket error while fetching from [email protected]@mail.server.com Oct 9 17:57:25 fetchmail[363826]: Query status=2 (SOCKET) Can the reason be that on my client I'm using Debian testing with openssl version: OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022) and on the server: OpenSSL 1.1.1n 15 Mar 2022 How can I disable this restriction? I tried to disable the following lines in /etc/postfix/main.cf: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 I found that the server is not sending any certificate to the client. Although TLS is enabled. I have to check the configuration again.
Hi! This indicates that the port you are trying to use dosen't serve TLS. Is your configuration correct? Well if the error above occures, there is no TLS initiated so there will be no certificates. As i already mentioned there seems to be an error with your configuration, as i don't seem to serve TLS on the Port fetchmail is using.
Many thanks for your reply. On the server I'm running ISPConfig with Dovecot. This means that fetchmail connects to dovecot, correct? In the dovoecot.conf I have: [...] ssl_cert = </etc/postfix/smtpd.cert ssl_key = </etc/postfix/smtpd.key [...] regarding to the perfect server installation guide. an openssl x509 -in /etc/postfix/smtpd.cert -noout -text shows the certificate: Certificate: Data: Version: 3 (0x2) Serial Number: 03:b2:4f:d5:ec:38:0b:ed:63:ab:ca:8b:6a:de:89:b4:b3:ee Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = R3 Validity Not Before: Oct 7 13:43:16 2022 GMT Not After : Jan 5 13:43:15 2023 GMT Subject: CN = mail.rothmedia.net Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:b5:bd:91:7e:ba:22:49:db:11:76:65:60:ab:50: 9b:89:81:4a:84:90:7e:9a:3f:62:a2:be:c2:82:b6: d3:5a:37:0b:b7:8f:4b:5d:39:f6:31:17:6b:a4:3d: 45:8b:a4:3c:1b:59:17:49:d2:54:c4:25:2f:24:cb: 3b:d2:f2:ae:fc:ca:56:af:46:27:d5:cc:79:2f:dc: 28:b3:0d:6e:61:bb:71:11:31:7c:ba:b1:c8:7c:e9: 4f:d0:11:24:2d:df:2f:02:f0:91:cd:b0:1f:0b:60: 53:ac:6e:0d:f4:cf:f2:4f:d9:41:ab:1b:bb:63:5d: e8:13:5f:6b:b9:81:ca:83:f7:de:40:d8:af:3e:b0: [...] What's the problem? Also when I'm configuring an MTA with IMAP, and want to check supported encrypted methods, I'm getting: Failed to query server for a list of supported authentication mechanisms. Peer failed to perform TLS handshake: The TLS connection was non-properly terminated. This means, that TLS is not enabled at all! Where do I enable it?
We need way more information. I am confused. You have a server with ISPConfig and you are using it as mail server, correct? Where do you use fetchmail and what is the config you are trying to achieve? How did you install the ISPConfig Server, some details about installation method and OS. Did you change any configuration regarding the issue, like dovecot or postfix config?
Yes, I have the newest ISPConfig on a Debian Bullseye OS, as mantioned above. I'm managing with it websites and email addresses. I did the installation according to the Perfect Server Installation. I'm using acme.sh for the Let's Encrypt certificates. I'm using fetchmail from my home PC to fetch my emails from the ISPConfig managed server. Meanwhile I got a step further. TLS is working now. But fetchmail is still complains: Oct 10 17:35:06 majestix fetchmail[424636]: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed Oct 10 17:35:06 majestix fetchmail[424636]: mail.rothmedia.net: upgrade to TLS failed. Oct 10 17:35:06 majestix fetchmail[424636]: Socket or TLS error on [email protected]@mail.rothmedia.net Oct 10 17:35:06 majestix fetchmail[424636]: socket error while fetching from [email protected]@mail.rothmedia.net Oct 10 17:35:06 majestix fetchmail[424636]: Query status=2 (SOCKET) Oct 10 17:35:06 majestix fetchmail[424636]: Server certificate verification error: unable to get local issuer certificate Oct 10 17:35:06 majestix fetchmail[424636]: Broken certification chain at: /C=US/O=Let's Encrypt/CN=R3 Oct 10 17:35:06 majestix fetchmail[424636]: This could mean that the server did not provide the intermediate CA's certificate(s), which is nothing fetchmail could do anything about. For details, please see the README.SSL-SERVER document that ships with fetchmail. Oct 10 17:35:06 majestix fetchmail[424636]: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
So, you are using fetchmail on a Linux Desktop and the get these errors? Can you add a mail account from your ISPConfig Server in something like Thunderbird? Is it working? If thats the case, please post your fetchmailrc too. Make sure to remove sensetive data before posting!
Yes, I'm using evolution. I can send emails via postfix. But I'm also getting some 554: 0AC43AD41764 177632 Mon Oct 10 16:57:53 [email protected] (host mx00.emig.gmx.net[212.227.15.9] refused to talk to me: 554-gmx.net (mxgmx014) Nemesis ESMTP Service not available 554-No SMTP service 554-Bad DNS PTR resource record. 554 For explanation visit https://www.gmx.net/mail/senderguidelines?ip=85.25.177.45&c=rdns) or 62E85AD417A3 22110592 Tue Oct 11 16:12:44 [email protected] (host mailin.samsung.com[203.254.224.12] refused to talk to me: 554 5.7.1 Rejected because Bad IP) [email protected] fetchmailrc: set no bouncemail poll mail.rothmedia.net protocol pop3 user [email protected] password 12345 is mm here fetchall [...] sslcertck sslproto tls1.2+ sslcertpath /etc/ssl/certs/
It says it right there "554-Bad DNS PTR resource record". Your PTR Record is either wrong or not set at all. Here we see that the host mailin.samsung.com[203.254.224.12], refused to connect because your IP is blacklisted in one of the lists that the mail host "mailin.samsung.com" checks.
Yes, I contacted my provider to resolve the reverse DNS problem. But this does not solve my problems with fetchmail.
I guess you just might use the wrong mail server name in your fetchmail config file. Run the command: hostname -f on your ispconfig server. Then edit your fetchmail config file and replace mail.rothmedia.net with the result of the hostname command.
My testing shows this too: Code: # openssl s_client -showcerts -connect mail.rothmedia.net:993 -servername mail.rothmedia.net CONNECTED(00000005) depth=0 CN = mail.rothmedia.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = mail.rothmedia.net verify error:num=21:unable to verify the first certificate verify return:1 Your certificate chain is incorrect. If "mail.rothmedia.net" is even correct, like @till already pointed out.
hostname -f shows mars.rothmedia.net The strange thing ist, that on my old sever it worked. There hostname -f is sun.rothmedia.net. Well, I now added mars.rothmedia.net to the certificate mail.rothmedia.net. I copied the .cert and .key files to /etc/postfix on my local machine. For the .fetchmailrc entries where I changed to poll from mars.rothmedia.net I'm getting the domain mismatch error: fetchmail[121609]: Server CommonName mismatch: mail.rothmedia.net != mars.rothmedia.net fetchmail[121609]: Server certificate verification error: unable to get local issuer certificate fetchmail[121609]: Broken certification chain at: /C=US/O=Let's Encrypt/CN=R3 And for all other entries where I'm polling from mail.rothmedia.net I'm getting this: Oct 14 22:08:32 majestix fetchmail[121609]: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed Oct 14 22:08:32 majestix fetchmail[121609]: mail.rothmedia.net: upgrade to TLS failed. Oct 14 22:08:32 majestix fetchmail[121609]: Socket or TLS error on [email protected]@mail.rothmedia.net Oct 14 22:08:32 majestix fetchmail[121609]: socket error while fetching from [email protected]@mail.rothmedia.net Oct 14 22:08:32 majestix fetchmail[121609]: Query status=2 (SOCKET) Oct 14 22:08:32 majestix fetchmail[121609]: Server certificate verification error: unable to get local issuer certificate Oct 14 22:08:32 majestix fetchmail[121609]: Broken certification chain at: /C=US/O=Let's Encrypt/CN=R3 Oct 14 22:08:32 majestix fetchmail[121609]: This could mean that the server did not provide the intermediate CA's certificate(s), which is nothing fetchmail could do anything about. For details, please see the README.SSL-SERVER document that ships with fetchmail. Oct 14 22:08:32 majestix fetchmail[121609]: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
You seem to have created your SSL certs manually and not using ISPConfig, therefore it might be that your certs are incomplete and do not contain the chain certs as required by dovecot. When creating certs manually, then you must take care by yourself of which daemon needs which cert file format as some of them must contain chain certs while others don't and use separate chain certificate files. E.g. dovecot and postfix require it to have a full chain cert which contains the actual SSL cert incl. chain files. And it might be that your fetchmail system uses an outdated SSL chain: https://forum.howtoforge.com/thread...-expiration-september-2021.87761/#post-427870
Thank you so much Till for investing time into my issue! I'm creating the certificates via ISPConfig. I uncecked the SSL and Let's Encrypt SSL buttons, saved the domain. And after the process went through I cecked SSL and Let's Encrypt SSL again to force the creation of the new certificate. I verified it also via Webbrowser and Now I can see all three domains in the certificate: mail.rothmedia.net, imap.rothmedia.net and smtp.rothmedia.net. Does the new created /root/.acme.sh/mail.rothmedia.net/fullchain.cer contain everything, correct? Well, this one I copied to my local machine into /etc/ssl/certs/ AND into /etc/postfix/smtpd.cert. A /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt does not exist.
Update: Miraculously after a reboot, my emails get fetched like a charm. I can't tell what solved the problem, but I'm happy that it all works again. Many, many thanks for all your help and time investigating into my issue.
