Problem with smtps, possibly because of nightly

Discussion in 'Installation/Configuration' started by Stefan Schumacher, Aug 31, 2021.

  1. Hi,

    I have two ISPConfig-Servers, both of them running on Debian 10.10. One of them was installed before the acme-problem occured and has working certificates despite being a plain 3.25, no nightly. It is used as a Web-Server.

    The second server is the mail server which now runs on Nightly, which fixed the Problems with certificate generation through Unfortunately I cannot connect to Port 465 with TLS anymore.
    Both servers have the identical configuration for smtps: (I compared them with meld)
    smtps inet n - - - - smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smt_client_restrictions=permit_sasl_authenticated,reject

    And now the result of trying to establish a TLS Connection to both servers:
    Server vm104
    openssl s_client -connect
    <Certificate Chain, Server certificate>
    End Result:
    220 ESMTP Postfix (Debian/GNU)

    And now the same when trying to connect to
    openssl s_client -connect
    no peer certificate available
    No client certificate CA names sent
    SSL handshake has read 0 bytes and written 316 bytes
    Verification: OK
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)

    I am sure that the certificate and the certificate chain are alright on the new server because I can connect to Dovecot Port 993 and 995 with the same certificates.
    Any idea where I might start looking?

    Yours sincerely
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    What path is set for the certificate files in postfix? I'm guessing it is different than what dovecot is using.
  3. I don't think so:
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key

    root@mail1:/etc/postfix# ls -la smtpd*
    lrwxrwxrwx 1 root root 48 Aug 30 16:05 smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt
    lrwxrwxrwx 1 root root 48 Aug 30 16:05 smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key

    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key
    There are no overwrites for this configuration in /etc/dovecot/conf.d/99-ispconfig-custom-config.conf.

    d5ad0b50803f96ea29a129093f941139 fullchain.cer

    d5ad0b50803f96ea29a129093f941139 ispserver.crt
    60042eb265c7d2a278bf876253e71c08 ispserver.key

    Yours sincerely
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That should work, then. Stop postfix, ensure it is stopped, then start it again, and watch for any errors to mail.log.
  5. This seems relevant:
    Sep 1 12:05:03 mail1 postfix/smtpd[11156]: warning: Invalid TLS protocol list "!SSLv2, !SSLv3, !TLSv1.0, !TLSv1.1": disabling TLS support
    Sep 1 12:10:03 mail1 postfix/smtpd[12321]: warning: Invalid TLS protocol list "!SSLv2, !SSLv3, !TLSv1.0, !TLSv1.1": disabling TLS support

    I have copied the list from the other server and now TLS works. Thanks, Jesse.
    By the way: Will I have to update the old pre 01.08.2021-Server to Nightly in order to keep acme working or can I just leave all as it it?

    Yours sincerely
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I don't see tls settings which resemble that for postfix, is that something you set yourself (and maybe copied the dovecot settings to postfix by mistake)?

    I believe it's fine to just leave it as is.
  7. I simply saw how SSL2 and SSL3 were disabled and extended the Syntax to TLSv1.0 and TLSv1.1. Postconf is not complaining and I can connect via SSL and STARTTLS to all Ports.
  8. How should it look like? At the Moment I am using:
    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    and neither postconf nor postfix are complaining about it and tests via
    confirm that my settings work. Output:
    Service set: STARTTLS via SMTP
    Testing protocols via sockets
    SSLv2 not offered (OK)
    SSLv3 not offered (OK)
    TLS 1 not offered
    TLS 1.1 not offered
    TLS 1.2 offered (OK)
    TLS 1.3 offered (OK): final
    This looks like its working to me.

Share This Page