Hi, I have two ISPConfig-Servers, both of them running on Debian 10.10. One of them was installed before the acme-problem occured and has working certificates despite being a plain 3.25, no nightly. It is used as a Web-Server. The second server is the mail server which now runs on Nightly, which fixed the Problems with certificate generation through acme.sh. Unfortunately I cannot connect to Port 465 with TLS anymore. Both servers have the identical configuration for smtps: (I compared them with meld) smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smt_client_restrictions=permit_sasl_authenticated,reject And now the result of trying to establish a TLS Connection to both servers: Server vm104 openssl s_client -connect vm104.consulting1x1.info:465 CONNECTED(00000003) <Certificate Chain, Server certificate> End Result: 220 vm104.consulting1x1.info ESMTP Postfix (Debian/GNU) And now the same when trying to connect to vm112.consulting1x1.info:465 openssl s_client -connect vm112.consulting1x1.info:465 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 316 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) I am sure that the certificate and the certificate chain are alright on the new server because I can connect to Dovecot Port 993 and 995 with the same certificates. Any idea where I might start looking? Yours sincerely Stefan
What path is set for the certificate files in postfix? I'm guessing it is different than what dovecot is using.
I don't think so: /etc/postfix/main.cf smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key root@mail1:/etc/postfix# ls -la smtpd* lrwxrwxrwx 1 root root 48 Aug 30 16:05 smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt lrwxrwxrwx 1 root root 48 Aug 30 16:05 smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key /etc/dovecot.conf: ssl_cert = </etc/postfix/smtpd.cert ssl_key = </etc/postfix/smtpd.key There are no overwrites for this configuration in /etc/dovecot/conf.d/99-ispconfig-custom-config.conf. /root/.acme.sh/mail1.consulting1x1.info. d5ad0b50803f96ea29a129093f941139 fullchain.cer 60042eb265c7d2a278bf876253e71c08 mail1.consulting1x1.info.key /usr/local/ispconfig/interface/ssl d5ad0b50803f96ea29a129093f941139 ispserver.crt 60042eb265c7d2a278bf876253e71c08 ispserver.key Yours sincerely Stefan
That should work, then. Stop postfix, ensure it is stopped, then start it again, and watch for any errors to mail.log.
This seems relevant: Sep 1 12:05:03 mail1 postfix/smtpd[11156]: warning: Invalid TLS protocol list "!SSLv2, !SSLv3, !TLSv1.0, !TLSv1.1": disabling TLS support Sep 1 12:10:03 mail1 postfix/smtpd[12321]: warning: Invalid TLS protocol list "!SSLv2, !SSLv3, !TLSv1.0, !TLSv1.1": disabling TLS support I have copied the list from the other server and now TLS works. Thanks, Jesse. By the way: Will I have to update the old pre 01.08.2021-Server to Nightly in order to keep acme working or can I just leave all as it it? Yours sincerely Stefan
I don't see tls settings which resemble that for postfix, is that something you set yourself (and maybe copied the dovecot settings to postfix by mistake)? I believe it's fine to just leave it as is.
I simply saw how SSL2 and SSL3 were disabled and extended the Syntax to TLSv1.0 and TLSv1.1. Postconf is not complaining and I can connect via SSL and STARTTLS to all Ports.
How should it look like? At the Moment I am using: smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 and neither postconf nor postfix are complaining about it and tests via teshssl.sh confirm that my settings work. Output: Service set: STARTTLS via SMTP Testing protocols via sockets SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1 not offered TLS 1.2 offered (OK) TLS 1.3 offered (OK): final This looks like its working to me.
