ispconfig3.1.7p1 - certificate verification failed for mail.hwg-media.de[ipadd]:25:

Discussion in 'ISPConfig 3 Priority Support' started by nmazza, Oct 20, 2017.

  1. nmazza

    nmazza Member HowtoForge Supporter

    Dear Support, hello again
    I have a client,
    When send an EMAIL from [email protected] to [email protected]
    My postfix log says ..
    Oct 20 13:18:09 mail postfix/smtp[10977]: certificate verification failed for mail.hwg-media.de[87.138.236.33]:25: untrusted issuer /C=de/L=Neuwied/O=H.W.G Marteking & Werbung/CN=H.W.G Marteking & Werbung WebAdmin CA/emailAddress=[email protected]
    Oct 20 13:18:11 mail postfix/smtp[10977]: 467574196: to=<[email protected]>, relay=mail.hwg-media.de[87.138.236.33]:25, delay=3.4, delays=0.1/0/1.7/1.6, dsn=5.0.0, status=bounced (host mail.hwg-media.de[87.138.236.33] said: 550 Administrative prohibition (in reply to end of DATA command))
    Here the mail is undeliverd and says
    host mail.hwg-media.de[87.138.236.33] said: 550
    Administrative prohibition (in reply to end of DATA command)

    And in other case, the mail is sent
    Oct 20 15:22:56 mail postfix/smtp[32348]: certificate verification failed for mail.hwg-media.de[87.138.236.33]:25: untrusted issuer /C=de/L=Neuwied/O=H.W.G Marteking & Werbung/CN=H.W.G Marteking & Werbung WebAdmin CA/emailAddress=[email protected]
    Oct 20 15:22:58 mail postfix/smtp[32348]: 593B6412A: to=<[email protected]>, relay=mail.hwg-media.de[87.138.236.33]:25, delay=3.7, delays=0.06/0/2.4/1.2, dsn=2.0.0, status=sent (250 OK id=1e5Z8T-0005b8-0j)
    Note: In some cases the mail is Undelivered and in others is sent.
    I'll appeciate your cooperation
    Nestor Mazza
     
    Last edited: Oct 20, 2017
  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. nmazza

    nmazza Member HowtoForge Supporter

    Thanks,
    Nestor Mazza
     
  4. nmazza

    nmazza Member HowtoForge Supporter

    Hello, again
    I had red, https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/
    I have to some differents situations, one of the is Postfix, at first is most important.
    I used on of my testing SERVERS, sofiha-isp.com.ar (my Distro is CentOS 6.9 using ISPConfig 3.1.7p1 updated from ISPConfig 3.0.5 sp8
    At first, I did
    [Changing ISPConfig 3 Control Panel (Port 8080)], but not working
    www.sofiha-isp.com.ar:8080 uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name www.sofiha-isp.com.ar. error Code: SEC_ERROR_UNKNOWN_ISSUER
    At the end, I did
    [Using The Same Let's Encrypt SSL Certs For Other Major Services]
    a. For postfix:
    (my version in this server is 2.6.6)
    b. For dovecot:

    Here is my maillog, after send an E-Mail from [email protected] to my personal E-Mail [email protected]Oct 24 00:45:02 mail postfix/smtpd[8884]: warning: TLS library problem: 8884:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
    Oct 24 00:45:02 mail postfix/smtpd[8884]: warning: TLS library problem: 8884:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:722:

    Oct 24 00:45:02 mail postfix/smtpd[8884]: connect from localhost[::1]
    Oct 24 00:45:02 mail postfix/smtpd[8884]: lost connection after CONNECT from localhost[::1]
    Oct 24 00:45:02 mail postfix/smtpd[8884]: disconnect from localhost[::1]
    Oct 24 00:45:29 mail postfix/smtpd[8884]: warning: 181.166.135.164: hostname 164-135-166-181.fibertel.com.ar verification failed: Name or service not known
    Oct 24 00:45:29 mail postfix/smtpd[8884]: connect from unknown[181.166.135.164]
    Oct 24 00:45:30 mail postfix/smtpd[8884]: NOQUEUE: filter: RCPT from unknown[181.166.135.164]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.1.8]>
    Oct 24 00:45:30 mail postfix/smtpd[8884]: E83F242CE: client=unknown[181.166.135.164], sasl_method=PLAIN, sasl_username=[email protected]
    Oct 24 00:45:31 mail postfix/smtpd[8884]: E83F242CE: filter: RCPT from unknown[181.166.135.164]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.1.8]>

    Oct 24 00:45:31 mail postfix/cleanup[8902]: E83F242CE: message-id=<[email protected][192.168.1.8]>
    Oct 24 00:45:31 mail opendkim[842]: E83F242CE: DKIM-Signature field added (s=default, d=mail.sofiha-isp.com.ar)
    Oct 24 00:45:31 mail opendmarc[880]: implicit authentication service: mail.sofiha-isp.com.ar
    Oct 24 00:45:32 mail opendmarc[880]: E83F242CE: SPF(mailfrom): [email protected] fail
    ( my SPF record for this server is an TXT record with Value v=spf1 ip4:45.79.78.77 -all )
    Oct 24 00:45:32 mail opendmarc[880]: E83F242CE: sofiha-isp.com.ar none

    Oct 24 00:45:32 mail postfix/qmgr[1014]: E83F242CE: from=<[email protected]>, size=928, nrcpt=2 (queue active)
    Oct 24 00:45:32 mail postfix/smtp[8904]: connect to 127.0.0.1[127.0.0.1]:10026: Connection refused
    Oct 24 00:45:32 mail postfix/smtp[8904]: E83F242CE: to=<[email protected]>, relay=none, delay=1.6, delays=1.6/0.02/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused)
    Oct 24 00:45:32 mail postfix/smtp[8904]: E83F242CE: to=<[email protected]>, relay=none, delay=1.6, delays=1.6/0.02/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused)
    Oct 24 00:45:32 mail postfix/smtpd[8884]: disconnect from unknown[181.166.135.164]

    Pelase, Please,
    I need solve this because my primary server needs send E-Mails to @ferconsult.de not working until solve certificate is not trusted because it is self-signed
    NOTE: I you wish, I will send my 'postconf -n' and my /etc/dovecot/dovecot.conf
    I'll apprecite your cooperation
    Thanks
    Nestor Mazza
     
    Last edited: Oct 24, 2017
  5. nmazza

    nmazza Member HowtoForge Supporter

    Thanks,
    Nestor Mazza
    I have solved, doing the following
    [Using The Same Let's Encrypt SSL Certs For Other Major Services]
    /etc/postfix/main.cf

    ###smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    ###smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_cert_file = /etc/letsencrypt/live/sofiha-isp.com.ar/fullchain.pem
    smtpd_tls_key_file = /etc/letsencrypt/live/sofiha-isp.com.ar/privkey.pem

    /etc/dovecot/dovecot.conf
    ###ssl_cert = </etc/postfix/smtpd.cert
    ###ssl_key = </etc/postfix/smtpd.key
    # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
    ###ssl = required
    ssl_cert = </etc/letsencrypt/live/sofiha-isp.com.ar/fullchain.pem
    ssl_key = </etc/letsencrypt/live/sofiha-isp.com.ar/privkey.pem
    ssl_protocols = !SSLv2 !SSLv3

    /etc/amavisd/amavisd.conf

    ###$inet_socket_port = 10024; # listen on this local TCP port(s)
    $inet_socket_port = [10024,10026]; # listen on multiple TCP ports

    service amavisd restart
    service postfix restart
    service dovecot restart


    [Changing ISPConfig 3 Control Panel (Port 8080)]
    /etc/httpd/conf/sites-enabled/000-ispconfig.vhost

    ###SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
    ###SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
    SSLCertificateFile /etc/letsencrypt/live/sofiha-isp.com.ar/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/sofiha-isp.com.ar/privkey.pem
    service httpd restart

    but I don't know if I'm in the write way ?
    Please let me your opinion,
    Thanks
    Nestor Mazza
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    In the way you did it, the setup will break on the next update. Never change the paths of the ssl certs in the config files, the right and update-safe way is described in the thread that I linked in #4 by keeping the original paths and using symlinks.
     
  7. nmazza

    nmazza Member HowtoForge Supporter

    Ok, but when I use the symlinks
    I receive in the maillog, the following ...

    (I have test in other test server, CentOS 7 with
    Oct 24 11:30:02 mail postfix/smtpd[19395]: warning: cannot get RSA certificate from file /etc/postfix/smtpd.cert: disabling TLS support
    Oct 24 11:30:02 mail postfix/smtpd[19395]: warning: TLS library problem: 19395:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/postfix/smtpd.cert','r'):
    Oct 24 11:30:02 mail postfix/smtpd[19395]: warning: TLS library problem: 19395:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
    Oct 24 11:30:02 mail postfix/smtpd[19395]: warning: TLS library problem: 19395:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:701:
    Oct 24 11:30:02 mail postfix/smtpd[19395]: connect from localhost[::1]
    Oct 24 11:30:02 mail postfix/smtpd[19395]: warning: SASL: Connect to private/auth failed: Connection refused
    Oct 24 11:30:02 mail postfix/smtpd[19395]: fatal: no SASL authentication mechanisms
    Oct 24 11:30:03 mail postfix/master[19257]: warning: process /usr/libexec/postfix/smtpd pid 19395 exit status 1
    Oct 24 11:30:03 mail postfix/master[19257]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

    Thanks
    Nestor Mazza
     
    Last edited: Oct 24, 2017
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Check that the symlink /etc/postfix/smtpd.cert points to the correct SSL cert.
     
  9. nmazza

    nmazza Member HowtoForge Supporter

    cd /etc/postfix
    ls -la smtpd.*

    lrwxrwxrwx 1 root root 48 Oct 24 11:29 smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt
    -rw-r--r-- 1 root root 2293 Oct 21 19:41 smtpd.cert-171024112848.bak
    lrwxrwxrwx 1 root root 48 Oct 24 11:29 smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key
    -rw-r----- 1 root root 3272 Oct 21 19:41 smtpd.key-171024112900.bak
    cd /usr/local/ispconfig/interface/ssl/
    ls -la

    total 32
    drwxr-x--- 2 root root 4096 Oct 24 11:27 .
    drwxr-x--- 9 ispconfig ispconfig 4096 Oct 21 19:43 ..
    -rwxr-x--- 1 root root 45 Oct 21 19:43 empty.dir
    lrwxrwxrwx 1 root root 60 Oct 24 11:27 ispserver.crt -> /etc/letsencrypt/live/mail.genericodigital.com/fullchain.pem
    -rwxr-x--- 1 root root 2293 Oct 21 19:43 ispserver.crt-171024112645.bak
    -rwxr-x--- 1 root root 1838 Oct 21 19:43 ispserver.csr
    lrwxrwxrwx 1 root root 58 Oct 24 11:27 ispserver.key -> /etc/letsencrypt/live/mail.genericodigital.com/privkey.pem
    -rwxr-x--- 1 root root 3243 Oct 21 19:43 ispserver.key-171024112701.bak
    -rwxr-x--- 1 root root 3311 Oct 21 19:41 ispserver.key.secure
    -rw------- 1 root root 0 Oct 24 11:27 ispserver.pem
    I don't have an idea to solve it, I can't see where is wrong, but with symlink, not work for me.
    Thanks
    Nestor Mazza
     
    Last edited: Oct 24, 2017
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you get the right cert content when you run:

    cat /etc/postfix/smtpd.cert

    Maybe postfix has a problem with the double symlink, you can try to point

    /etc/postfix/smtpd.cert to /etc/letsencrypt/live/mail.genericodigital.com/fullchain.pem directly.

    Another possible problem can be that you are using a different ssl cert. In your working config you use /etc/letsencrypt/live/sofiha-isp.com.ar/fullchain.pem as cert but in the other config you use /etc/letsencrypt/live/mail.genericodigital.com/fullchain.pem which is a different ssl cert for a different domain. The crrect cert for postfix is the one that is issued for the server hostname, the server hostname is not a domain that is used for a website on this system so sofiha-isp.com.ar is probably the wrong cert anyway.
     
  11. nmazza

    nmazza Member HowtoForge Supporter

    is Ok, now i modified another SERVER because sofiha-isp.com.ar is working and genericodigital.com not yet
    I want solve it over genericodigital.com and then updated sofiha-isp.com.ar
    Thanks
     
  12. nmazza

    nmazza Member HowtoForge Supporter

    cat /etc/postfix/smtpd.cert
    -----BEGIN CERTIFICATE-----
    MIIGbzCCBFegAwIBAgIJAIM/ivsd64S+MA0GCSqGSIb3DQEBCwUAMIHNMQswCQYD
    VQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRgwFgYDVQQHDA9DYXBpdGFs
    IEZlZGVyYWwxGDAWBgNVBAoMD1NvZmloYSBJbnRlcm5ldDEpMCcGA1UECwwgU29m
    aWhhIEludGVybmV0IC0gQ2xvdWQgU2VydmljZXMxITAfBgNVBAMMGG1haWwuZ2Vu
    ZXJpY29kaWdpdGFsLmNvbTElMCMGCSqGSIb3DQEJARYWZG9taW5pb3NAc29maWhh
    LmNvbS5hcjAeFw0xNzEwMjExOTQxMTBaFw0yNzEwMTkxOTQxMTBaMIHNMQswCQYD
    VQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRgwFgYDVQQHDA9DYXBpdGFs
    IEZlZGVyYWwxGDAWBgNVBAoMD1NvZmloYSBJbnRlcm5ldDEpMCcGA1UECwwgU29m
    aWhhIEludGVybmV0IC0gQ2xvdWQgU2VydmljZXMxITAfBgNVBAMMGG1haWwuZ2Vu
    ZXJpY29kaWdpdGFsLmNvbTElMCMGCSqGSIb3DQEJARYWZG9taW5pb3NAc29maWhh
    LmNvbS5hcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANTKEHRDPRDy
    jBaJ28f+LLkBfgFe6hmedsVIRkMt6RgeO5odkO4KUfkFH4+Gzf5zEBTh1FzXSPID
    pmZfQEAfIo2tZObr6oq9PPQ9f1Eng0V4Os6bWj0d+hlZwGZorCaFNrQ8rB//lFZa
    DGa36w5H/EtADeiy105jUAb6zoRG81fiHCpP8m9Q2/hZXSyw3/SXTEe9EHXfept0
    /Yr2BHJHKAi2cQSUx+MSFheo9frr75yXAWdKOWjXaPhRWlUr8HfAjjVMGXcNedkA
    fRwxQ+phMzbPKUEKUiZl8SmMrrZ4BhNMzfmyUfvjwlL6hBbN4Yq0egxu2MUQ0xrN
    XgSnIVpDdwkXi/B9e+Ek0IpUVHrVeh/BuUp1IUiwnRz1vifzYxxh+uscsvLuePyr
    +x+OTnnaPJgjRv9b03QdrPM71p50eE2kEfrBy+rqI3OMNoSfN6koRcGqgNaJti6B
    d/eEUPY57v57TF8bdNxWxdkerSwjA9kFuoEssy5oQW2d+Ns9RsJzb/CrGAEQewMK
    1t9vTJurNfRS8ioipCPQL6s5Te1LLwN9jqfpplgWnCzEqXCaP1WpAp6ahE/vvyHu
    GjLZA++61Ly1k4NNr3sJLrhSQiCUllkEigjGVQmKgIU8b3IjHIrT9SrCcLicNkEk
    zBgUU1jNt+4eTxuDMkYC4lZ2ANgNezyrAgMBAAGjUDBOMB0GA1UdDgQWBBSy3B5F
    hXfNWg4gAZ/LYAx2Oy98+DAfBgNVHSMEGDAWgBSy3B5FhXfNWg4gAZ/LYAx2Oy98
    +DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCYTUCANr7PQtXp/lrb
    qoFF5VIzzc1LVHEnZRRRJ7gPwGMKt+oPzBGqKTzfKznJvSwHVPrv76q9pCyU2vuF
    3VTvO4aYgC0BEaRdwcuFemflWTfnX7WF7U/fbszxO1T6kpUOr0DpIoeN7ZpAHQgP
    K5+dmuiaJRc6LOBjdsp0TYkgWNtbGFF8EG+zcQpVFVcb9ulHPeU1aOaqqAOfKVMd
    MF8+VIJDcf0bIGhNuD6NKdourkfP9ndxg9s6VdZhTt4yuNWeocdiSrjsnDZUVail
    bE+ZRs0d0dtL+cSqe4J0CDvon65yT+v7qSUjzBeCBRCv1661vtVuDKaZCfDelIUi
    gptzjNIC3d807ahS7RQwlkj/bK0E9122lE0e+KYoLQefhBMSAdJamqywFxffFl9F
    HIY16kQJzSmfL9a1jUm3PL0hIULKOPa4jAxJxxm+DnxQsXiJYdnZ189g82NHxZzG
    yBtQOEz/54eCrrvUHYYvxphTXSBomI5he43l7anE1NR1ICVu2EceDy6JdMe7g4vs
    VuRJkoXPf9l+0iTDqMjA/XemcLw49Jv1AbJ4psJMTRFuNjU6hyhblroWqYdquxzi
    UN+/bjCGzNp0+SM3a9B78ikfs+nWRr96XAW9TVQu9/bIHGDQZBHoXNH1DkooCq+d
    /qtsVEyiOIoLLVS04HxGz7e5hQ==
    -----END CERTIFICATE-----
     

Share This Page