Hi, I have been asked by some of my users if we could get TLS on our mail server. Tried following this https://wiki.debian.org/Postfix#Postfix_and_TLS.2FSSL and gone through the steps in the "ISPConfig 3.1 Manual" When I test the mailserver on MXToolbox I get the following: SMTP TLS Warning - Does not support TLS.I have found others earlier having same problem and tried those solutions without getting closer to a solution. System : Debian Multiserver Mailserver running Debian Wheezy and ISPCondig vers 3.1.15p2 SMTP TLS Warning - Does not support TLS. My master.cf files looks like this: Code: # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o smtp_bind_address= 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes 127.0.0.1:10027 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtp_send_xforward_command=yes -o milter_default_action=accept -o milter_macro_daemon_name=ORIGINATING -o disable_dns_lookups=yes Hope someone can help with a clue to what I have missed. Best Regards Jakob
The server with the above postfix config has already smtps and TLS on submission port. So either you connected the test software to a different server or you closed smtps and submission port e.g. in a firewall. Please run the test script and post the result: https://www.howtoforge.com/community/threads/please-read-before-posting.58408/
Hi Till, Thanks for the quick reply. I have checked and cross checked that it is the correct server I am connecting to. This is from MXToolBox: Code: Test Result SMTP TLS Warning - Does not support TLS. More Info SMTP Reverse DNS Mismatch OK - XX.XX.XX.XX resolves to mail.XXXXXX.XX SMTP Valid Hostname OK - Reverse DNS is a valid Hostname SMTP Banner Check OK - Reverse DNS matches SMTP Banner SMTP Connection Time 0.844 seconds - Good on Connection time SMTP Open Relay OK - Not an open relay. SMTP Transaction Time 3.094 seconds - Good on Transaction Time I have the following ports open for the mail server in my firewall : 25,110,143,465,587,993,995 From the htf_report.txt Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** IP-address(es) (as per ifconfig): ***.***.***.*** [INFO] OS version is "Debian GNU/Linux 7 (wheezy)" [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.1.15p2 ##### VERSION CHECK ##### [INFO] php (cli) version is 5.4.45-0+deb7u14 ##### PORT CHECK ##### [WARN] Port 8080 (ISPConfig) seems NOT to be listening [WARN] Port 8081 (ISPConfig Apps) seems NOT to be listening [WARN] Port 443 (Webserver SSL) seems NOT to be listening [WARN] Port 21 (FTP server) seems NOT to be listening ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 1855) [INFO] I found the following mail server(s): Postfix (PID 27740) [INFO] I found the following pop3 server(s): Dovecot (PID 27470) [INFO] I found the following imap server(s): Dovecot (PID 27470) [WARN] I could not determine which ftp server is running. ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:993 (27470/dovecot) [anywhere]:995 (27470/dovecot) [localhost]:10024 (26364/amavisd-new) [localhost]:10025 (27740/master) [localhost]:10026 (26364/amavisd-new) [anywhere]:3306 (25869/mysqld) [localhost]:10027 (27740/master) [anywhere]:587 (27740/master) [anywhere]:110 (27470/dovecot) [anywhere]:143 (27470/dovecot) [anywhere]:111 (1564/rpcbind) [anywhere]:465 (27740/master) [anywhere]:22 (3273/sshd) [anywhere]:25 (27740/master) *:*:*:*::*:993 (27470/dovecot) *:*:*:*::*:995 (27470/dovecot) *:*:*:*::*:587 (27740/master) [localhost]10 (27470/dovecot) [localhost]43 (27470/dovecot) [localhost]11 (1564/rpcbind) *:*:*:*::*:80 (1855/apache2) *:*:*:*::*:465 (27740/master) *:*:*:*::*:22 (3273/sshd) *:*:*:*::*:25 (27740/master) ##### IPTABLES ##### Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-dovecot-pop3imap tcp -- [anywhere]/0 [anywhere]/0 multiport dports 110,995,143,993 fail2ban-ssh tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-dovecot-pop3imap (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 Best Regards Jakob
The server supports secure smtp. Try using an SMTP client like Thunderbird, Outlook, apple mail instead of a test script, for secure connections, use port 587 together with STARTTLS as security mode. Port 465 can be used as well, but normally one uses port 587 for SMTP(S) connections from client to the server now.
When I test my e-mail server on mxtoolbox.com, it says support tls. Try some other web tool, find them using Internet Search Engines with Code: ssl testing mail server
Thanks - will try that. As I started with - I have been asked by some of my users to get TLS because emails could not be delivered since our server was not "secure". I am sending emails using RoundCube and I can see when email are received in i.e. GMail that they are not secure - but assume that this is because my webmail server with RoundCube needs to be modified to use TLS.
I guess the question is if your clients configured their mail clients to use tls, your server supports it but if your clients disable tls on the client side, then the connection is not encrypted no matter if the server supports it or not. Same with gmail, ify ou tell gemail to use smtp without tls, then its not secure, if you tell gmail to use smtp with tls, then its secure. Or the issue might be something completely different, maybe you use a self signed ssl cert and your clients mix up a ssl warning with an unencrypted connection. if you use a self signed ssl cert for the mail system, replace it with a letsencrypt one and ensure that your clients use the mail server hostname to connect and not subdomains of their won domain names that are not part of the ssl cert.
The postfix and openssl version (like everything else) in wheezy is extremely outdated. Your versions do not support modern protocols, as needed for secure mail transport. The standard postfix settings for this ancient version is bad. You can try disabling the unsecure protocols in main.cf Code: smtp_tls_mandatory_protocols = !TLSv1, !SSLv2, !SSLv3 smtp_tls_protocols = !TLSv1, !SSLv2, !SSLv3 but I doubt that any supported protocols are left. This version for sure cannot do TLS1.3 and I am not sure if they can do TLS1.2. TLS1.1 needs OpenSSL 1.0.1 or newer and at least Postfix 2.3. Look what versions you have. Better: UPDATE YOUR SYSTEM!. Even the long term support of wheezy is gone since a year EDIT: Even if it is some work, you will get a lot of benefits: - You will get security updates - Support for all the security features developed in the last 3 years (there are a lot and wheezy did not get any feature updates since 2016). An example for that is TLS1.2 and TLS1.3 - Apache 2.4 has new features and is faster (support for http2, which greatly improves SSL speed) - PHP7 is much (much!) faster than php5.4. mpm_event and php_fpm will feel like you got a brand new server
What's more, there are known security vulnerabilities in your debian packages which will never be fixed. Eg. this one (which allows remote code execution!) isn't even fixed in jessie, let alone wheezy: https://security-tracker.debian.org/tracker/CVE-2019-11500
@Steini86 and @Jesse Norell - I know that know we are mowing away from initial question, but I am well aware that I need to update the mail server. I have tried using : https://www.howtoforge.com/tutorial/how-to-upgrade-debian-wheezy-to-jessie-stable-release/ but this resulted in Apache failing and I had to roll back (one of the positive things on running servers as VM)
Fair enough . What does 'postconf smtpd_tls_cert_file smtpd_tls_key_file' return, and do those files exist? What do you get if you check tls from the local machine, eg. run 'openssl s_client -connect localhost:25 -starttls smtp'? You say you have a firewall allowing specific ports, yet iptables shows all ports open, so I presume you must have an external firewall - does it handle the smtp connection and inspect smtp traffic? (Ie. is it your firewall which needs TLS support?)
But just a little bit, because my guess is that your combination of openssl and postfix version is just not able to establish a secure connection with modern clients, because this ancient versions do not support it. No configuration can change this. My advice would be to install a new VM with buster and migrate your ispconfig installation. You would need to wheezy->jessie->stretch->buster, which will lead to lots of problems. Edit: Which versions of openssl and postfix do you have installed? TLS1.2 needs openssl > 1.0.1 Everything else there is to know on Postfix and TLS is listed here: http://www.postfix.org/TLS_README.html Edit2: Just looked it up (or not): The wheezy packages are not online (too old), but even the Jessie package of postfix is linked against libssl1.0.0 -> https://packages.debian.org/jessie/postfix For sure you can backport openssl and built your own postfix with >tls1.2 support ...
As a point of reference, I found an old wheezy mail server (not ISPConfig, but ...) with postfix and openssl from wheezy-backports: Code: ii openssl 1.0.1t-1+deb7u4 i386 Secure Socket Layer (SSL) binary and related cryptographic tools ii postfix 2.11.2-1~bpo70+1 i386 High-performance mail transport agent I checked it in mxtoolbox's "Test Email Server" and it came up with: Test Result SMTP Reverse DNS Mismatch OK - x.x.x.x resolves to old.servers.r-us SMTP Valid Hostname OK - Reverse DNS is a valid Hostname SMTP Banner Check OK - Reverse DNS matches SMTP Banner SMTP TLS OK - Supports TLS. SMTP Connection Time 0.812 seconds - Good on Connection time SMTP Open Relay OK - Not an open relay. SMTP Transaction Time 2.781 seconds - Good on Transaction Time
I have now tried a few things and I am still a bit lost. I have upgraded the server to Jessie - I know that I have to either upgrade further or re-install - but that is not an option for me right now. Now I have: Postfix mail_version = 2.11.3 Dovecot 2.2.13 OpenSSL 1.0.1t 3 May 2016 In Outlook: When I setup the mail connection to use TLS/SSL all goes fine. If I try to use STARTTLS it fails. When I send a email with TLS/SSL setting I can see on my GMail it states that my domain has not encrypted the email. If I use my email account from Unoeuro I can see in Gmail that emails have been encrypted using TLS. Postfix I have tried setting main.cf: smtpd_tls_security_level = may to smtpd_tls_security_level = encrypt smtp_tls_security_level = may to smtp_tls_security_level = encryptWhen I from my gmail or other external mail client send an email with above settings I get a reply: <[email protected]>: host mail.mydomain.yy[XX.XX.XX.XX] said: 530 5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command) Changed the settings back to "may" and then tried from one of my other VM's (sandbox) doing below: Code: openssl s_client -connect mail.mydomain.yy:25 I got this reply: Code: CONNECTED(00000003) 139881080700992:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 176 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1574021980 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- I have then done the same 110,465,587,993 and 995 The only big difference was with 465, 993 and 995 - they included server certificate in the reply and also this: Code: New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 2FA9FB6069A7BEAF1ADD365CABBA92155857E26F55EF87B5AFE7E9A71B7F1C6B Session-ID-ctx: Master-Key: 6831D31599A5136648761C8010093596BA92EA5F689C466C06181250CD6310ECB9E8F5E3C57FBDD0384972E3F0A2C272 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 90 08 d4 ff ee c9 e1 53-0e a0 0d 57 41 68 c1 a5 .......S...WAh.. 0010 - 6c a6 8c 93 cc ed a3 96-4f 59 67 04 f7 89 80 53 l.......OYg....S 0020 - 8f 33 86 08 2a a0 f1 db-fa f6 50 7b eb 31 12 c4 .3..*.....P{.1.. 0030 - b9 a4 a3 35 a3 6d 4f cf-bc 9f 85 4d 57 b8 44 78 ...5.mO....MW.Dx 0040 - 75 98 75 f6 a4 94 a0 f8-7e f8 1f 26 d2 a1 67 8d u.u.....~..&..g. 0050 - 66 b8 c3 ab 70 a3 58 74-76 23 2a 92 f7 2c ff 7c f...p.Xtv#*..,.| 0060 - 25 a6 6e 45 63 b4 63 04-35 fc b3 e9 30 f5 4a 7d %.nEc.c.5...0.J} 0070 - 09 86 6f c5 69 96 3d 44-dd 8c cd 5a 89 53 76 de ..o.i.=D...Z.Sv. 0080 - 31 1d 48 e0 c5 b2 ef b1-e9 15 e3 dc 88 eb 10 d2 1.H............. 0090 - c7 0d b6 57 2a ed da 1e-2f d7 45 5d ad f5 fa 35 ...W*.../.E]...5 Start Time: 1574022063 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Firewall: Just to be sure about the ports - I tried from https://www.yougetsignal.com/tools/open-ports/ and can see when I at the same time on the mail server have following running : Code: tail -f /var/log/syslog I got this reply for port 25,110, 465, 587, 993 and 995 Code: Nov 17 21:03:03 mail postfix/smtpd[31067]: connect from unknown[198.199.98.246] Nov 17 21:03:03 mail postfix/smtpd[31067]: lost connection after CONNECT from unknown[198.199.98.246] Nov 17 21:03:03 mail postfix/smtpd[31067]: disconnect from unknown[198.199.98.246] Nov 17 21:03:07 mail dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=198.199.98.246, lip=192.168.100.58, session=<R1BhKJGXVwDGx2L2> Nov 17 21:03:13 mail postfix/smtps/smtpd[31072]: connect from unknown[198.199.98.246] Nov 17 21:03:13 mail postfix/smtps/smtpd[31072]: SSL_accept error from unknown[198.199.98.246]: lost connection Nov 17 21:03:13 mail postfix/smtps/smtpd[31072]: lost connection after CONNECT from unknown[198.199.98.246] Nov 17 21:03:13 mail postfix/smtps/smtpd[31072]: disconnect from unknown[198.199.98.246] Nov 17 21:03:27 mail postfix/submission/smtpd[31073]: connect from unknown[198.199.98.246] Nov 17 21:03:27 mail postfix/submission/smtpd[31073]: lost connection after CONNECT from unknown[198.199.98.246] Nov 17 21:03:27 mail postfix/submission/smtpd[31073]: disconnect from unknown[198.199.98.246] Nov 17 21:03:32 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=198.199.98.246, lip=192.168.100.58, TLS handshaking: Disconnected, session=<febkKZGXlADGx2L2> Nov 17 21:03:36 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=198.199.98.246, lip=192.168.100.58, TLS handshaking: Disconnected, session=<yd4kKpGXNwDGx2L2> Hope that this can give an idea and maybe guide me on what I have missed or done wrong.
On my e-mail servers setup with ISPConfig, SSL/TLS works after following the Perfect Server Guide and the Securing ISPConfig Tutorial by Ahrasis. I have not done anything special after that.
Taleman - I gone through those 2 guides as well and must admit I cannot figure out why STARTTLS is the only part not working.
Well, your "openssl s_client -connect" command has shown that TLS1.2 is working (?) with ports 465, 993 and 995. However, there is something wrong with your certificate: Make sure you followed the guide on creating your certificate files. "grep smtpd_tls main.cf" should show you where the files are and should be something similar to: Code: smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem smtpd_tls_eecdh_grade = strong smtpd_tls_ask_ccert = yes smtp_tls_key_file = $smtpd_tls_key_file smtp_tls_cert_file = $smtpd_tls_cert_file smtp_tls_CAfile = $smtpd_tls_CAfile Check that smtpd_tls_cert_file contains the full chain. And the files (in my case), depends on the guide you used: Code: ll smtpd* lrwxrwxrwx 1 root root 48 Okt 30 2017 smtpd.cert -> /etc/letsencrypt/live/mail.domain/fullchain.pem lrwxrwxrwx 1 root root 46 Okt 30 2017 smtpd.key -> /etc/letsencrypt/live/mail.domain/privkey.pem Does not look too good, some incompatibilities with OpenSSL versions ..
