Postfix/Roundcube TLS problem after perfect server tutorial

Discussion in 'Server Operation' started by girthh, Dec 15, 2019.

  1. girthh

    girthh New Member

    Don't get me wrong, Perfect server tutorials are great! I seem to be experiencing a problem that hundreds of google results cannot fix (all giving the same 'solved' advice which isn't working). Can't seem to get emails sent with TLS no matter how hard I have been trying. It's probably a simple fix that im missing in config.inc.php, main.cf or apps.vhost hopefully.
    (Perfect server tutorial, Debian 10, ISPconfig(3.1), NginX(1.14), Postfix(3.4.7), Roundcube, Dovecot(2.3.4.1), PHP(7.3), Digital Ocean hosting, and lots of altering/tinkering)

    THE GOAL HERE:

    Roundcube login | Postfix/Roundcube TLS | Only TLSv1.3 and TLSv1.2 on websites (how its set up already: see below)

    Roundcube Error pop-up when sending email: (port 587, and on port 25)
    SMTP Error (220): Authentication failed.
    Error message in mail.log when sending email:
    Code:
    Dec 15 13:31:05 nyc postfix/submission/smtpd[21495]: connect from localhost[127.0.0.1]
    Dec 15 13:31:05 nyc postfix/submission/smtpd[21495]: lost connection after STARTTLS from localhost[127.0.0.1]
    Dec 15 13:31:05 nyc postfix/submission/smtpd[21495]: disconnect from localhost[127.0.0.1] ehlo=1 starttls=1 commands=2
    

    A FEW NOTES/QUESTIONS:
    1) Apps.vhost and MYDOMAIN.vhost(s) for Roundcube in sites-available has some custom code:
    Code:
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/dhparams4096.pem;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:!aNULL:!MD5;
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    
    *Listen directives (for all iPv4s and iPv6s) have ssl and http2, if that may matter in some wierd way.
    
    *nginx.conf also has the above code, but instead only has "ssl_protocols TLSv1.3;" and also has "add_header X-Frame-Options DENY;"
    2) Does defaults.inc.php also have to match config.inc.php? (I think it overwrites?)
    3) imap_conn_options and/or smtp_conn_options?
    4) We are LetsEncrypt Self-signed

    Roundcube config file (/etc/roundcube/config.inc.php):
    Code:
    $config['default_host'] = 'localhost';
    $config['smtp_server'] = 'tls://localhost';
    $config['smtp_port'] = 587;
    $config['smtp_user'] = '%u';
    $config['smtp_pass'] = '%p';
    
    **If I set 'default_host' to 'tls://localhost' or 'tls://%n' I cannot login to Roundcube (Connection to storage server failed)
    **If i try 'smtp_port' at 465 I get other errors (plus 465 is deprecated so let's stick with 587)
    **Port 25 throwing same error


    Postfix master.cf:
    Code:
    submission inet n       -       y       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_tls_auth_only=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    smtps     inet  n       -       y       -       -       smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    


    main.cf SUMMARY (full below): I altered a few things after installation
    Code:
    #tls_ssl_options = NO_RENEGOTIATION
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    smtpd_recipient_restrictions =
       reject_unauth_pipelining,
       reject_non_fqdn_sender,
       reject_non_fqdn_recipient,
       reject_unknown_sender_domain,
       reject_unknown_recipient_domain,
       permit_mynetworks,
       permit_sasl_authenticated,
       reject_unauth_destination,
       reject_rbl_client zen.spamhaus.org,
       reject_rbl_client bl.spamcop.net,
       reject_non_fqdn_hostname,
       reject_invalid_hostname
    smtp_use_tls = no
    smtpd_use_tls = yes
    smtpd_tls_security_level = may
    smtp_tls_security_level = may
    smtpd_sasl_auth_enable = yes
    smtpd_tls_auth_only = no
    smtpd_helo_restrictions =
        permit_mynetworks,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_helo_hostname,
        reject_invalid_helo_hostname,
        reject_unknown_helo_hostname,
        permit
    smtpd_sender_restrictions =
        permit_mynetworks,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain
    smtpd_client_restrictions =
        permit_mynetworks,
        reject_unknown_client_hostname,
        check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtpd_tls_mandatory_ciphers = medium
    tls_medium_cipherlist = EECDH+AESGCM:EDH+AESGCM
    tls_preempt_cipherlist = yes
    smtpd_tls_exclude_ciphers = RC4, aNULL
    smtp_tls_exclude_ciphers = RC4, aNULL
    

    main.cf full:

    Code:
    smtpd_banner = $myhostname ESMTP $mail_name
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
    # fresh installs.
    compatibility_level = 2
    
    
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    #tls_ssl_options = NO_RENEGOTIATION
    
    
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    myhostname = nyc.MYDOMAIN
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = nyc.MYDOMAIN, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
    virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
    sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_restriction_classes = greylisting
    greylisting = check_policy_service inet:127.0.0.1:10023
    smtpd_recipient_restrictions =
       reject_unauth_pipelining,
       reject_non_fqdn_sender,
       reject_non_fqdn_recipient,
       reject_unknown_sender_domain,
       reject_unknown_recipient_domain,
       permit_mynetworks,
       permit_sasl_authenticated,
       reject_unauth_destination,
       reject_rbl_client zen.spamhaus.org,
       reject_rbl_client bl.spamcop.net,
       reject_non_fqdn_hostname,
       reject_invalid_hostname
    smtp_use_tls = no
    smtpd_use_tls = yes
    smtpd_tls_security_level = may
    smtp_tls_security_level = may
    smtpd_sasl_auth_enable = yes
    smtpd_tls_auth_only = no
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual$
    smtpd_helo_required = yes
    smtpd_helo_restrictions =
        permit_mynetworks,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_helo_hostname,
        reject_invalid_helo_hostname,
        reject_unknown_helo_hostname,
        permit
    smtpd_sender_restrictions =
        permit_mynetworks,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain
    smtpd_client_restrictions =
        permit_mynetworks,
        reject_unknown_client_hostname,
        check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtpd_tls_mandatory_ciphers = medium
    tls_medium_cipherlist = EECDH+AESGCM:EDH+AESGCM
    tls_preempt_cipherlist = yes
    smtpd_tls_exclude_ciphers = RC4, aNULL
    smtp_tls_exclude_ciphers = RC4, aNULL
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0
    
     
    Last edited: Dec 15, 2019
  2. girthh

    girthh New Member

    #faith

    also:
    nano /etc/dovecot/dovecot.conf
    Code:
    ssl = yes
    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key
    ssl_dh = </etc/ssl/dhparams4096.pem
    ssl_min_protocol = TLSv1.2
    ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
    ssl_prefer_server_ciphers = yes
    
     
    Last edited: Dec 15, 2019
  3. Steini86

    Steini86 Active Member

    - Set hostname in roundcube to match hostname in TLS certificate:
    Code:
    $config['default_host'] = 'localhost';
    $config['smtp_server'] = 'tls://localhost';
    This is untrusted, because certificate "/etc/postfix/smtpd.key" is not valid for host "localhost"!

    See roundcube faq:
    Look at bottom of https://github.com/roundcube/roundcubemail/wiki/FAQ on how to change that. Since you have a valid LetsEncrypt certificate, just use the valid CN of certificate to connect.

    - If it still does not work, enable debug in roundcube config to get better error messages:
    Code:
    $config['debug_level'] = 1;
    $config['smtp_debug'] = true;
    - Which version of Roundcube? Of not the 1.4, try with latest version.
     
    Last edited: Dec 15, 2019
    girthh likes this.
  4. girthh

    girthh New Member

    Thanks Stein. I got it sending the mail, but without matching the common name by adding the almost-suggested code into defaults.inc.php:
    Code:
    $config['imap_conn_options'] = array(
    'ssl'         => array(
         'verify_peer'       => false,
         'verfify_peer_name' => false,
      ),
    );
    
    $config['smtp_conn_options'] = array(
      'ssl'         => array(
          'verify_peer'      => false,
          'verify_peer_name' => false,
      ),
    );
    
    Have any advice to get it as you suggested?
    Did you mean $config['default_host'] = 'tls://mail.mydomain'; ?
     
  5. Steini86

    Steini86 Active Member

    If "mail.mydomain" is your mailname and the "common name" in your LetsEncrypt certificate, then: Yes!

    [Edit]
    Just wondering: Have you successfully implemented the LetsEncrypt certificate into Postfix/Dovecot? As far as I remember, that is not covered by the Perfect server tutorial... If you have not done it, have a look at LE4ISPC:
    https://github.com/ahrasis/LE4ISPC
    Discussion: https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/
     
    Last edited: Dec 16, 2019
    girthh likes this.
  6. girthh

    girthh New Member

    What I did was very similar to your link, but I linked all services to the website's cert/key.
    Here are all the steps I took:
    Now im thinking this may have been bad practice? because the cert may not match the FQDN with hostname, as it matches just the website domain?

    ?Maybe it may cause problems down the line with the mail server cert not matching "server_hostname.server_name"? (nyc.MYWEBSITE.COM)
     
  7. Steini86

    Steini86 Active Member

    Your website domain should be your FQDN?
    For example, I reach my ispconfig interface at mail.domain.com:8080. At mail.domain.com (standard ports 80/443) I have installed my webmail. I use that certificate for all services (ispconfig/dovecot/postfix/etc ..)
    So the same than you did, just that I used the mailname consequently for all services
     
    girthh likes this.
  8. girthh

    girthh New Member

    Okay, i Think I can see an error here:
    I made everything (SSL, ISPconfig, Postfix, Dovecot, and Pure-ftpd) all use the ISPconfig-generated LE cert (for a generated website) which can be bad for the mailserver certs not matching HOSTNAME.WEBSITE (as they match only WEBSITE and www.WEBSITE)

    I will try changing the certs and see if TLS POSTFIX is working better without having to use
    Code:
    $config['imap_conn_options'] = array(
    'ssl'         => array(
         'verify_peer'       => false,
         'verfify_peer_name' => false,
      ),
    );
    
    $config['smtp_conn_options'] = array(
      'ssl'         => array(
          'verify_peer'      => false,
          'verify_peer_name' => false,
      ),
    );
     
  9. girthh

    girthh New Member

    UPDATE: Halfway solved as of now. (best practice may not be enabled)

    I went back into using the LE cert/key (for HOSTNAME.DOMAIN.com) generated during ISPconfig installation, and am receiving a self-signed error in browsers.

    I reverted back into using just the DOMAIN.COM cert/key that is generated when creating a website through ISPconfig.
    (and using it for all services: i.e. postfix, dovecot, ispconfig, ssl, etc)
    Once again: I am accessing the ISPconfig interface via DOMAIN.COM:8080.

    Is this the best practice?
     
  10. Steini86

    Steini86 Active Member

    To access your ISPconfig interface, you can use any hostname which resolves to your servers IP. However, you should use the hostname which matches your certificate, otherwise you will get warnings.
    You can use a different certificate for postfix/dovecot/etc if you like. But you have to make sure, that the hostnames used match the certificate. If you have your RDNS and mailname set to (something.)domain.com, than your mail services should deliver a certificate valid for (something.)domain.com. You should use a different domain for this which is not configured as a mail domain. For example, if you use mail.domain.com, then you should not configure a mailbox [email protected]. This will mess up things. Therefore, do not use domain.com directly, if you want to use that for mails.

    There are dozens of different ways how to achieve that. Just take into account, that the services like postfix need to be reloaded to use a new certificate. That said, when your LetsEncrypt certificate gets renewed you should restart these services. The lazy solution is to just restart them via cron every now and then (every day/week).

    My solution was:
    Create a website for webmail mail.mydomain.com with LetsEncrypt to get the certificate managed via ispconfig. Set rdns /mailname / hostname to mail.mydomain.com (in fact, I did this at the setup). Use this certificate (letsencrypt live folder) for the services. Restart them, when the certificate gets renewed.
     
    girthh and till like this.

Share This Page