Ubuntu 18.04 STARTTLS with TLSv1.3 getting me mad!

Discussion in 'Installation/Configuration' started by Yo_Hansolo, Feb 22, 2019.

  1. Yo_Hansolo

    Yo_Hansolo New Member

    Hi There,
    Just don't understand what's not going on with my install. Sorry for my english as i'm a real cliché of French people with learning english language... (o_O)
    So, I have 2 servers who work independently.
    Both are on 18.04 Ubuntu ISPConfig3 with Apache2, MariaDb & php7.2, Dovecot, Postfix based on the best tutotrial i ever seen in my life ;)

    First one drive on the standard repo packages & ISPConfig 3.1.13. Dovecot & Postfix work perfectly on STARTTLS TLS1.2 on imap ports143 or smtp(s) 25/587. Thunderbird or Outlook Office 365 accept STARTTLS without complaints.

    Second one is same as first but drive since yesterday, 21th february 2019, the last versions of Apache2.4.38 and Openssl 1.1.1a to give TLS1.3 a reality everywhere. ISPconfig is 3.1dev (don't ask ; don't know why !). Before yesterday it was on TLS1.2 with last repo versions ; identicaly i said.
    >> When it was with TLS1.2, Thunderbird or Outlook accepted mails account without complaints.
    >> Now, i'm getting real mad to know why Thunderbird and Outlook can not connect. And there is no Warns in log, just the two software logout after expiration delay. SSL/TLS on ports 993,465 works great but not STARTTLS.

    I've try "openssl s_client -starttls smtp -crlf -connect mail.mydomain.tld:587"
    EHLO or LOGIN work on command line after this
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify error:num=20:unable to get local issuer certificate
    Certificate chain
     0 s:CN = ouvr.es
       i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
     1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
       i:O = Digital Signature Trust Co., CN = DST Root CA X3
    [blabla certificat]
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 4096 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 20 (unable to get local issuer certificate)
    250 SMTPUTF8
    Post-Handshake New Session Ticket arrived:
        Protocol  : TLSv1.3
        Cipher    : TLS_AES_256_GCM_SHA384
        Session-ID: 88045AD85B73079D6BE920B0BCEF3C1F220C90AE3F59F6D00496CB8C3240E667
        Resumption PSK: B5335A29FE60BA88017FEE9558B6E3A85981DA340B0EE0F92490EAEFD2237994B455CBCE7FE246BEADD38DEBD048D1D6
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 7200 (seconds)
        TLS session ticket:
    [blabla and, at last]
    read R BLOCK
    TLS1.3 over HTTPS 443 on Opera or Firefox works great too...

    Why world so cruel ? I assume i'm not seeing the fault.
  2. Yo_Hansolo

    Yo_Hansolo New Member

    I forget! Sorry...
    I realize those STARTTLS lines in mail.log are IPv6 ; my mind tells me that this may be the problem.


Share This Page