Don't get me wrong, Perfect server tutorials are great! I seem to be experiencing a problem that hundreds of google results cannot fix (all giving the same 'solved' advice which isn't working). Can't seem to get emails sent with TLS no matter how hard I have been trying. It's probably a simple fix that im missing in config.inc.php, main.cf or apps.vhost hopefully. (Perfect server tutorial, Debian 10, ISPconfig(3.1), NginX(1.14), Postfix(3.4.7), Roundcube, Dovecot(2.3.4.1), PHP(7.3), Digital Ocean hosting, and lots of altering/tinkering) THE GOAL HERE: Roundcube login | Postfix/Roundcube TLS | Only TLSv1.3 and TLSv1.2 on websites (how its set up already: see below) Roundcube Error pop-up when sending email: (port 587, and on port 25) SMTP Error (220): Authentication failed. Error message in mail.log when sending email: Code: Dec 15 13:31:05 nyc postfix/submission/smtpd[21495]: connect from localhost[127.0.0.1] Dec 15 13:31:05 nyc postfix/submission/smtpd[21495]: lost connection after STARTTLS from localhost[127.0.0.1] Dec 15 13:31:05 nyc postfix/submission/smtpd[21495]: disconnect from localhost[127.0.0.1] ehlo=1 starttls=1 commands=2 A FEW NOTES/QUESTIONS: 1) Apps.vhost and MYDOMAIN.vhost(s) for Roundcube in sites-available has some custom code: Code: ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/dhparams4096.pem; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:!aNULL:!MD5; ssl_ecdh_curve secp384r1; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; *Listen directives (for all iPv4s and iPv6s) have ssl and http2, if that may matter in some wierd way. *nginx.conf also has the above code, but instead only has "ssl_protocols TLSv1.3;" and also has "add_header X-Frame-Options DENY;" 2) Does defaults.inc.php also have to match config.inc.php? (I think it overwrites?) 3) imap_conn_options and/or smtp_conn_options? 4) We are LetsEncrypt Self-signed Roundcube config file (/etc/roundcube/config.inc.php): Code: $config['default_host'] = 'localhost'; $config['smtp_server'] = 'tls://localhost'; $config['smtp_port'] = 587; $config['smtp_user'] = '%u'; $config['smtp_pass'] = '%p'; **If I set 'default_host' to 'tls://localhost' or 'tls://%n' I cannot login to Roundcube (Connection to storage server failed) **If i try 'smtp_port' at 465 I get other errors (plus 465 is deprecated so let's stick with 587) **Port 25 throwing same error Postfix master.cf: Code: submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject main.cf SUMMARY (full below): I altered a few things after installation Code: #tls_ssl_options = NO_RENEGOTIATION smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_non_fqdn_hostname, reject_invalid_hostname smtp_use_tls = no smtpd_use_tls = yes smtpd_tls_security_level = may smtp_tls_security_level = may smtpd_sasl_auth_enable = yes smtpd_tls_auth_only = no smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, permit smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = EECDH+AESGCM:EDH+AESGCM tls_preempt_cipherlist = yes smtpd_tls_exclude_ciphers = RC4, aNULL smtp_tls_exclude_ciphers = RC4, aNULL main.cf full: Code: smtpd_banner = $myhostname ESMTP $mail_name biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on # fresh installs. compatibility_level = 2 # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache #tls_ssl_options = NO_RENEGOTIATION # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = nyc.MYDOMAIN alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = nyc.MYDOMAIN, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_restriction_classes = greylisting greylisting = check_policy_service inet:127.0.0.1:10023 smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_non_fqdn_hostname, reject_invalid_hostname smtp_use_tls = no smtpd_use_tls = yes smtpd_tls_security_level = may smtp_tls_security_level = may smtpd_sasl_auth_enable = yes smtpd_tls_auth_only = no transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual$ smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, permit smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = dovecot header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = EECDH+AESGCM:EDH+AESGCM tls_preempt_cipherlist = yes smtpd_tls_exclude_ciphers = RC4, aNULL smtp_tls_exclude_ciphers = RC4, aNULL dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings message_size_limit = 0
#faith also: nano /etc/dovecot/dovecot.conf Code: ssl = yes ssl_cert = </etc/postfix/smtpd.cert ssl_key = </etc/postfix/smtpd.key ssl_dh = </etc/ssl/dhparams4096.pem ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_prefer_server_ciphers = yes
- Set hostname in roundcube to match hostname in TLS certificate: Code: $config['default_host'] = 'localhost'; $config['smtp_server'] = 'tls://localhost'; This is untrusted, because certificate "/etc/postfix/smtpd.key" is not valid for host "localhost"! See roundcube faq: Look at bottom of https://github.com/roundcube/roundcubemail/wiki/FAQ on how to change that. Since you have a valid LetsEncrypt certificate, just use the valid CN of certificate to connect. - If it still does not work, enable debug in roundcube config to get better error messages: Code: $config['debug_level'] = 1; $config['smtp_debug'] = true; - Which version of Roundcube? Of not the 1.4, try with latest version.
Thanks Stein. I got it sending the mail, but without matching the common name by adding the almost-suggested code into defaults.inc.php: Code: $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verfify_peer_name' => false, ), ); $config['smtp_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false, ), ); Have any advice to get it as you suggested? Did you mean $config['default_host'] = 'tls://mail.mydomain'; ?
If "mail.mydomain" is your mailname and the "common name" in your LetsEncrypt certificate, then: Yes! [Edit] Just wondering: Have you successfully implemented the LetsEncrypt certificate into Postfix/Dovecot? As far as I remember, that is not covered by the Perfect server tutorial... If you have not done it, have a look at LE4ISPC: https://github.com/ahrasis/LE4ISPC Discussion: https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/
What I did was very similar to your link, but I linked all services to the website's cert/key. Here are all the steps I took: Now im thinking this may have been bad practice? because the cert may not match the FQDN with hostname, as it matches just the website domain? ?Maybe it may cause problems down the line with the mail server cert not matching "server_hostname.server_name"? (nyc.MYWEBSITE.COM)
Your website domain should be your FQDN? For example, I reach my ispconfig interface at mail.domain.com:8080. At mail.domain.com (standard ports 80/443) I have installed my webmail. I use that certificate for all services (ispconfig/dovecot/postfix/etc ..) So the same than you did, just that I used the mailname consequently for all services
Okay, i Think I can see an error here: I made everything (SSL, ISPconfig, Postfix, Dovecot, and Pure-ftpd) all use the ISPconfig-generated LE cert (for a generated website) which can be bad for the mailserver certs not matching HOSTNAME.WEBSITE (as they match only WEBSITE and www.WEBSITE) I will try changing the certs and see if TLS POSTFIX is working better without having to use Code: $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verfify_peer_name' => false, ), ); $config['smtp_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false, ), );
UPDATE: Halfway solved as of now. (best practice may not be enabled) I went back into using the LE cert/key (for HOSTNAME.DOMAIN.com) generated during ISPconfig installation, and am receiving a self-signed error in browsers. I reverted back into using just the DOMAIN.COM cert/key that is generated when creating a website through ISPconfig. (and using it for all services: i.e. postfix, dovecot, ispconfig, ssl, etc) Once again: I am accessing the ISPconfig interface via DOMAIN.COM:8080. Is this the best practice?
To access your ISPconfig interface, you can use any hostname which resolves to your servers IP. However, you should use the hostname which matches your certificate, otherwise you will get warnings. You can use a different certificate for postfix/dovecot/etc if you like. But you have to make sure, that the hostnames used match the certificate. If you have your RDNS and mailname set to (something.)domain.com, than your mail services should deliver a certificate valid for (something.)domain.com. You should use a different domain for this which is not configured as a mail domain. For example, if you use mail.domain.com, then you should not configure a mailbox [email protected]. This will mess up things. Therefore, do not use domain.com directly, if you want to use that for mails. There are dozens of different ways how to achieve that. Just take into account, that the services like postfix need to be reloaded to use a new certificate. That said, when your LetsEncrypt certificate gets renewed you should restart these services. The lazy solution is to just restart them via cron every now and then (every day/week). My solution was: Create a website for webmail mail.mydomain.com with LetsEncrypt to get the certificate managed via ispconfig. Set rdns /mailname / hostname to mail.mydomain.com (in fact, I did this at the setup). Use this certificate (letsencrypt live folder) for the services. Restart them, when the certificate gets renewed.