Some emails not not received

I have a minor problem with emails send to my server.

2 people have announced to me that their emails do not come through. I don´t have the errors they get. But they both come from big/bigger corporate companys.
But I myself work at a university (which uses microsoft services, and they outlook exchange servers), so I tried sending a mail from work to my server at home. And after a few days I get a sender report that it could not deliver the mail with this error: Remote Server returned '554 5.4.0 < #5.4.317 smtp;550 5.4.317 Message expired, cannot connect to remote server>'

I know my server gets very good results in any test I throw at it and it has all the bells and whistles turned on. SPF, DKIM, DMARC and DANE and all pass the tests when testet.

But I did a test in: https://www.checktls.com/TestReceiver and get this result:
But when checking the certificate for my mail server I can clearly see that it is not to old:

So what do I need to do to secure the right certificate is active?

 

Have you restarted the postfix service?
Looks like it still uses the previous certificate.
Expire dates are 2 month apart in the 2 screenshots.
That's exacly when LE renews.

If the service restart helps then your next step will be investigating why the service hasn't restarted after renewal of the certificate.
And especially monitor it around februari 10th, when your certificate will be renewed again.

 

I have tried restarting postfix service and reboot the server. But unfortunately it didn't solve the issue.

 

Oh no I'm sorry. It is an ISPC setup. Which I'm very happy with by the way.
I'm an idiot I know.
Can you move the thread to the ISPC forum? Or can I do something?

 

Where did you get the 2nd screen from?
Looks like it's from a webbrowser. But there's no way you can show your mailserver's tls certificate in your webbrowser.
I guess it's from your webmail, but that doesn't necessarily has to be the same certificate as the mailserver uses for tls.

 

You both got me thinking, and I think I know what has gone wrong.
I have done a mistake in my persuit of getting a working DANE certification. All because I don't know, a good / the right, way of doing it.
In order to get a public key I made a new homepage in ISPC with the domain freja.bnjpro.dk, because that way I can get the public key as can be seen in the second screenshot above in my first post.
But that is a mistake because my whole setup is the server freja.bnjpro.dk. This means that my setup allready have the domain freja.bnjpro.dk because ispc gets that for the server. And I guess when I make a site with that same domain this takes over at lets encrypt, and the ispc renewal of the server (where dovecot and postfix are getting their certs from) are denied renewal.

So I think the solution is to delete the site with the name of the server to get renewal for the server and thereby postfix etc. If I'm not mistaken it can be renewed by force updating ISPC.

But by doing that I don't know how or where to get the public key needed to generate the TLSA data from that key.

Am I right so far?

 

I think you're right in doing that.

Are you using acme.sh?
Then the key is found in /root/acme.sh/freja.bnjpro.dk
Otherwise it's somewhere in /etc/letsencrypt

Keep in mind that when setting up DANE and your key is also being renewed every 2 month (besides the certificate) you'll need to update DANE every time by hand.

That's why my keys don't renew if I've set-up DANE or I'm using 2 1 1 <LE keys> (10 of them) instead of 3 1 1 <my own key>.

Updating DANE/TLSA should realy become an automated function in ISPC for selfhosted DNS zones in my opinion.
Especially since nowdays keys are renewed by default.

 

Yes I am using acme.sh. I'll look for the key there, thanks.
I know about updating the DANE. But I have both a 2.1.1 and 3.1.1. In my understanding the 2.1.1 takes over when the 3.1.1 expires. But I still have to remember to update the 3.1.1 TLSA record. Isn't that how it works?

 

I see no use for both 2 1 1 and 3 1 1 at the same time.
Yes it should work for expired 3 1 1 keys but will also work for otherwise wrongly configured 3 1 1 keys.
So it makes 3 1 1 somewhat obsolete when also valid 2 1 1 keys exist.

 

Ok. I just think I have seen that explanation somewhere. The ideal solution would be for a script that whenever the certificate was updated, it would automatically update the DANE as well. But for my use it wouldn't work anyway, because I don't host DNS myself.

By the way I just did as proposed: I have deleted the wrong site, updated the certificate for the server, and generated a new DANE with succes. And I have just tested it with my workmail, and it works both ways.

I'm happy.

Thank you very much.

 

I've put in a feature request
https://forum.howtoforge.com/threads/automated-dane-tlsa-updates.93661/

 

A website can be created but you need to symlink the existing server certificate and key in its ssl folder before you activate ssl for the website in ISPC.
That way the server certificate still gets renewed and the website just tags along.

 

Yes of cause that can be done. In my case I don't need that domain it was just my way of a work around. But your suggestion is the right way of doing it.
Thank you for making a feature request.

 

It's more for myself then for you as you don't selfhost your dns zone

 

The known problem with creating website using server FQDN for acme.sh could have already been resolved if one added a script to renewal config for that site, copying the same certs to ispconfig ssl folder once renewal is made.

(May be read this to understand the idea: https://github.com/acmesh-official/acme.sh/issues/1901)

This is also very easy to add in ISPConfig acme.sh code i.e. to detect that if the website is using the server FQDN, and if so add renewal hook script to copy the same certs to ISPConfig web ssl folder.

I could write it, but I guess it is very easy for anybody especially the developers to do it, but I do not know why nobody has come to this solution.

Note that I do not mention certbot, because it does not create the same problem, while having a website for the server FQDN, at least not when I tested it a long time ago.

 

From what he said, his ISPConfig server hostname freja.bnjpro.dk is basically main ISPConfig server on port 8080, so when he created the website for it, it did not renew his certs in ISPConfig SSL folder, since the certs therefrom will only be installed (copied) to the website ssl folder upon renewal, and not ISPConfig SSL folder. The server also is a mail server and that does not make the said tutorial works in his favour, not as it is, but may be small part of it, if one understood it well enough.

I am not reinventing the wheel, not writing another script here either, but what I am trying to say, this matter can be automatically tackled by modifying ISPConfig code in creating the certs for the website using acme.sh, so that it will cater this issue of using the server hostname as the website, which the developers or anybody can do it, I mean why not? Is it more preferable for users to do it all manually when it can be embedded into ISPConfig, so each time when people created a website using his ISPConfig server hostname, it will work automatically?

Or is it the question of maintenance that have been raised by the developers in the git? I don't know. Or may be we are talking on two different things here? I also don't know.