SMTP TLS Warning - Does not support TLS.

Discussion in 'Installation/Configuration' started by DKLeader, Nov 12, 2019.

  1. DKLeader

    DKLeader Member

    Hi,
    I have been asked by some of my users if we could get TLS on our mail server. Tried following this https://wiki.debian.org/Postfix#Postfix_and_TLS.2FSSL and gone through the steps in the "ISPConfig 3.1 Manual"
    When I test the mailserver on MXToolbox I get the following:
    SMTP TLS Warning - Does not support TLS.​
    I have found others earlier having same problem and tried those solutions without getting closer to a solution.

    System : Debian Multiserver
    Mailserver running Debian Wheezy and ISPCondig vers 3.1.15p2
    SMTP TLS Warning - Does not support TLS.

    My master.cf files looks like this:
    Code:
    #
    # Postfix master process configuration file.  For details on the format
    # of the file, see the master(5) manual page (command: "man 5 master").
    #
    # Do not forget to execute "postfix reload" after editing this file.
    #
    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       -       -       -       smtpd
    #smtp      inet  n       -       -       -       1       postscreen
    #smtpd     pass  -       -       -       -       -       smtpd
    #dnsblog   unix  -       -       -       -       0       dnsblog
    #tlsproxy  unix  -       -       -       -       0       tlsproxy
    submission inet n       -       -       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=may
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING
    smtps     inet  n       -       -       -       -       smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING
    #628       inet  n       -       -       -       -       qmqpd
    pickup    fifo  n       -       -       60      1       pickup
    cleanup   unix  n       -       -       -       0       cleanup
    qmgr      fifo  n       -       n       300     1       qmgr
    #qmgr     fifo  n       -       n       300     1       oqmgr
    tlsmgr    unix  -       -       -       1000?   1       tlsmgr
    rewrite   unix  -       -       -       -       -       trivial-rewrite
    bounce    unix  -       -       -       -       0       bounce
    defer     unix  -       -       -       -       0       bounce
    trace     unix  -       -       -       -       0       bounce
    verify    unix  -       -       -       -       1       verify
    flush     unix  n       -       -       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       -       -       -       smtp
    relay     unix  -       -       -       -       -       smtp
    #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq     unix  n       -       -       -       -       showq
    error     unix  -       -       -       -       -       error
    retry     unix  -       -       -       -       -       error
    discard   unix  -       -       -       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       -       -       -       lmtp
    anvil     unix  -       -       -       -       1       anvil
    scache    unix  -       -       -       -       1       scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent.  See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
    #
    # ====================================================================
    #
    # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
    #
    # Specify in cyrus.conf:
    #   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
    #
    # Specify in main.cf one or more of the following:
    #  mailbox_transport = lmtp:inet:localhost
    #  virtual_transport = lmtp:inet:localhost
    #
    # ====================================================================
    #
    # Cyrus 2.1.5 (Amos Gouaux)
    # Also specify in main.cf: cyrus_destination_recipient_limit=1
    #
    #cyrus     unix  -       n       n       -       -       pipe
    #  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
    #
    # ====================================================================
    # Old example of delivery via Cyrus.
    #
    #old-cyrus unix  -       n       n       -       -       pipe
    #  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
    #
    # ====================================================================
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    uucp      unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # Other external delivery methods.
    #
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix  -       n       n       -       2       pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman   unix  -       n       n       -       -       pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
      ${nexthop} ${user}
    
    dovecot   unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
    
    amavis unix - - - - 2 smtp
            -o smtp_data_done_timeout=1200
            -o smtp_send_xforward_command=yes
                    -o smtp_bind_address=
    
    
    127.0.0.1:10025 inet n - n - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
            -o smtp_send_xforward_command=yes
            -o disable_dns_lookups=yes
    
    127.0.0.1:10027 inet n - n - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
            -o smtp_send_xforward_command=yes
                -o milter_default_action=accept
            -o milter_macro_daemon_name=ORIGINATING
            -o disable_dns_lookups=yes
    
    Hope someone can help with a clue to what I have missed.

    Best Regards
    Jakob
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. DKLeader

    DKLeader Member

    Hi Till,
    Thanks for the quick reply.
    I have checked and cross checked that it is the correct server I am connecting to.
    This is from MXToolBox:
    Code:
    Test                       Result   
    SMTP TLS                               Warning - Does not support TLS.     More Info
    SMTP Reverse DNS Mismatch    OK - XX.XX.XX.XX resolves to mail.XXXXXX.XX   
    SMTP Valid Hostname               OK - Reverse DNS is a valid Hostname   
    SMTP Banner Check                  OK - Reverse DNS matches SMTP Banner   
    SMTP Connection Time             0.844 seconds - Good on Connection time   
    SMTP Open Relay                     OK - Not an open relay.   
    SMTP Transaction Time             3.094 seconds - Good on Transaction Time
    
    I have the following ports open for the mail server in my firewall : 25,110,143,465,587,993,995

    From the htf_report.txt
    Code:
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    IP-address(es) (as per ifconfig): ***.***.***.***
    [INFO] OS version is "Debian GNU/Linux 7 (wheezy)"
    
    [INFO] ISPConfig is installed.
    
    ##### ISPCONFIG #####
    ISPConfig version is 3.1.15p2
    
    
    ##### VERSION CHECK #####
    
    [INFO] php (cli) version is 5.4.45-0+deb7u14
    
    ##### PORT CHECK #####
    
    [WARN] Port 8080 (ISPConfig) seems NOT to be listening
    [WARN] Port 8081 (ISPConfig Apps) seems NOT to be listening
    [WARN] Port 443 (Webserver SSL) seems NOT to be listening
    [WARN] Port 21 (FTP server) seems NOT to be listening
    
    ##### MAIL SERVER CHECK #####
    
    
    ##### RUNNING SERVER PROCESSES #####
    
    [INFO] I found the following web server(s):
            Apache 2 (PID 1855)
    [INFO] I found the following mail server(s):
            Postfix (PID 27740)
    [INFO] I found the following pop3 server(s):
            Dovecot (PID 27470)
    [INFO] I found the following imap server(s):
            Dovecot (PID 27470)
    [WARN] I could not determine which ftp server is running.
    
    ##### LISTENING PORTS #####
    (only           ()
    Local           (Address)
    [anywhere]:993          (27470/dovecot)
    [anywhere]:995          (27470/dovecot)
    [localhost]:10024               (26364/amavisd-new)
    [localhost]:10025               (27740/master)
    [localhost]:10026               (26364/amavisd-new)
    [anywhere]:3306         (25869/mysqld)
    [localhost]:10027               (27740/master)
    [anywhere]:587          (27740/master)
    [anywhere]:110          (27470/dovecot)
    [anywhere]:143          (27470/dovecot)
    [anywhere]:111          (1564/rpcbind)
    [anywhere]:465          (27740/master)
    [anywhere]:22           (3273/sshd)
    [anywhere]:25           (27740/master)
    *:*:*:*::*:993          (27470/dovecot)
    *:*:*:*::*:995          (27470/dovecot)
    *:*:*:*::*:587          (27740/master)
    [localhost]10           (27470/dovecot)
    [localhost]43           (27470/dovecot)
    [localhost]11           (1564/rpcbind)
    *:*:*:*::*:80           (1855/apache2)
    *:*:*:*::*:465          (27740/master)
    *:*:*:*::*:22           (3273/sshd)
    *:*:*:*::*:25           (27740/master)
    
    
    
    
    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    fail2ban-dovecot-pop3imap  tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 110,995,143,993
    fail2ban-ssh  tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 22
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain fail2ban-dovecot-pop3imap (1 references)
    target     prot opt source               destination
    RETURN     all  --  [anywhere]/0            [anywhere]/0
    
    Chain fail2ban-ssh (1 references)
    target     prot opt source               destination
    RETURN     all  --  [anywhere]/0            [anywhere]/0
    Best Regards
    Jakob
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The server supports secure smtp. Try using an SMTP client like Thunderbird, Outlook, apple mail instead of a test script, for secure connections, use port 587 together with STARTTLS as security mode. Port 465 can be used as well, but normally one uses port 587 for SMTP(S) connections from client to the server now.
     
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    When I test my e-mail server on mxtoolbox.com, it says support tls.
    Try some other web tool, find them using Internet Search Engines with
    Code:
    ssl testing mail server
     
    DKLeader likes this.
  6. DKLeader

    DKLeader Member

    Thanks - will try that.
    As I started with - I have been asked by some of my users to get TLS because emails could not be delivered since our server was not "secure".
    I am sending emails using RoundCube and I can see when email are received in i.e. GMail that they are not secure - but assume that this is because my webmail server with RoundCube needs to be modified to use TLS.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess the question is if your clients configured their mail clients to use tls, your server supports it but if your clients disable tls on the client side, then the connection is not encrypted no matter if the server supports it or not. Same with gmail, ify ou tell gemail to use smtp without tls, then its not secure, if you tell gmail to use smtp with tls, then its secure. Or the issue might be something completely different, maybe you use a self signed ssl cert and your clients mix up a ssl warning with an unencrypted connection. if you use a self signed ssl cert for the mail system, replace it with a letsencrypt one and ensure that your clients use the mail server hostname to connect and not subdomains of their won domain names that are not part of the ssl cert.
     
  8. Steini86

    Steini86 Active Member

    The postfix and openssl version (like everything else) in wheezy is extremely outdated. Your versions do not support modern protocols, as needed for secure mail transport.
    The standard postfix settings for this ancient version is bad. You can try disabling the unsecure protocols in main.cf
    Code:
    smtp_tls_mandatory_protocols = !TLSv1, !SSLv2, !SSLv3
    smtp_tls_protocols = !TLSv1, !SSLv2, !SSLv3
    but I doubt that any supported protocols are left. This version for sure cannot do TLS1.3 and I am not sure if they can do TLS1.2.
    TLS1.1 needs OpenSSL 1.0.1 or newer and at least Postfix 2.3. Look what versions you have.
    Better: UPDATE YOUR SYSTEM!. Even the long term support of wheezy is gone since a year

    EDIT:
    Even if it is some work, you will get a lot of benefits:
    - You will get security updates
    - Support for all the security features developed in the last 3 years (there are a lot and wheezy did not get any feature updates since 2016). An example for that is TLS1.2 and TLS1.3
    - Apache 2.4 has new features and is faster (support for http2, which greatly improves SSL speed)
    - PHP7 is much (much!) faster than php5.4. mpm_event and php_fpm will feel like you got a brand new server
     
    Last edited: Nov 12, 2019
    DKLeader, Jesse Norell and till like this.
  9. Jesse Norell

    Jesse Norell Well-Known Member

    DKLeader and till like this.
  10. DKLeader

    DKLeader Member

  11. Jesse Norell

    Jesse Norell Well-Known Member

    Fair enough :).

    What does 'postconf smtpd_tls_cert_file smtpd_tls_key_file' return, and do those files exist? What do you get if you check tls from the local machine, eg. run 'openssl s_client -connect localhost:25 -starttls smtp'? You say you have a firewall allowing specific ports, yet iptables shows all ports open, so I presume you must have an external firewall - does it handle the smtp connection and inspect smtp traffic? (Ie. is it your firewall which needs TLS support?)
     
  12. Steini86

    Steini86 Active Member

    But just a little bit, because my guess is that your combination of openssl and postfix version is just not able to establish a secure connection with modern clients, because this ancient versions do not support it. No configuration can change this. My advice would be to install a new VM with buster and migrate your ispconfig installation. You would need to wheezy->jessie->stretch->buster, which will lead to lots of problems.

    Edit: Which versions of openssl and postfix do you have installed? TLS1.2 needs openssl > 1.0.1
    Everything else there is to know on Postfix and TLS is listed here: http://www.postfix.org/TLS_README.html
    Edit2: Just looked it up (or not): The wheezy packages are not online (too old), but even the Jessie package of postfix is linked against libssl1.0.0 -> https://packages.debian.org/jessie/postfix
    For sure you can backport openssl and built your own postfix with >tls1.2 support ...
     
    Last edited: Nov 12, 2019
  13. Jesse Norell

    Jesse Norell Well-Known Member

    As a point of reference, I found an old wheezy mail server (not ISPConfig, but ...) with postfix and openssl from wheezy-backports:
    Code:
    ii  openssl                              1.0.1t-1+deb7u4                    i386         Secure Socket Layer (SSL) binary and related cryptographic tools
    ii  postfix                              2.11.2-1~bpo70+1                   i386         High-performance mail transport agent
    
    I checked it in mxtoolbox's "Test Email Server" and it came up with:

    Test Result
    [​IMG] SMTP Reverse DNS Mismatch OK - x.x.x.x resolves to old.servers.r-us
    [​IMG] SMTP Valid Hostname OK - Reverse DNS is a valid Hostname
    [​IMG] SMTP Banner Check OK - Reverse DNS matches SMTP Banner
    [​IMG] SMTP TLS OK - Supports TLS.
    [​IMG] SMTP Connection Time 0.812 seconds - Good on Connection time
    [​IMG] SMTP Open Relay OK - Not an open relay.
    [​IMG] SMTP Transaction Time 2.781 seconds - Good on Transaction Time
     
  14. DKLeader

    DKLeader Member

    I have now tried a few things and I am still a bit lost.
    I have upgraded the server to Jessie - I know that I have to either upgrade further or re-install - but that is not an option for me right now.
    Now I have:
    Postfix mail_version = 2.11.3
    Dovecot 2.2.13
    OpenSSL 1.0.1t 3 May 2016​

    In Outlook:
    When I setup the mail connection to use TLS/SSL all goes fine. If I try to use STARTTLS it fails.
    When I send a email with TLS/SSL setting I can see on my GMail it states that my domain has not encrypted the email.
    If I use my email account from Unoeuro I can see in Gmail that emails have been encrypted using TLS.

    Postfix
    I have tried setting main.cf:
    smtpd_tls_security_level = may to smtpd_tls_security_level = encrypt
    smtp_tls_security_level = may to smtp_tls_security_level = encrypt​
    When I from my gmail or other external mail client send an email with above settings I get a reply:
    <[email protected]>: host mail.mydomain.yy[XX.XX.XX.XX] said: 530 5.7.0 Must issue
    a STARTTLS command first (in reply to MAIL FROM command)​

    Changed the settings back to "may" and then tried from one of my other VM's (sandbox) doing below:
    Code:
    openssl s_client -connect mail.mydomain.yy:25
    
    I got this reply:
    Code:
    CONNECTED(00000003)
    139881080700992:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 5 bytes and written 176 bytes
    Verification: OK
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1574021980
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
    ---
    
    I have then done the same 110,465,587,993 and 995 The only big difference was with 465, 993 and 995 - they included server certificate in the reply and also this:
    Code:
    New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-GCM-SHA384
        Session-ID: 2FA9FB6069A7BEAF1ADD365CABBA92155857E26F55EF87B5AFE7E9A71B7F1C6B
        Session-ID-ctx:
        Master-Key: 6831D31599A5136648761C8010093596BA92EA5F689C466C06181250CD6310ECB9E8F5E3C57FBDD0384972E3F0A2C272
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 7200 (seconds)
        TLS session ticket:
        0000 - 90 08 d4 ff ee c9 e1 53-0e a0 0d 57 41 68 c1 a5   .......S...WAh..
        0010 - 6c a6 8c 93 cc ed a3 96-4f 59 67 04 f7 89 80 53   l.......OYg....S
        0020 - 8f 33 86 08 2a a0 f1 db-fa f6 50 7b eb 31 12 c4   .3..*.....P{.1..
        0030 - b9 a4 a3 35 a3 6d 4f cf-bc 9f 85 4d 57 b8 44 78   ...5.mO....MW.Dx
        0040 - 75 98 75 f6 a4 94 a0 f8-7e f8 1f 26 d2 a1 67 8d   u.u.....~..&..g.
        0050 - 66 b8 c3 ab 70 a3 58 74-76 23 2a 92 f7 2c ff 7c   f...p.Xtv#*..,.|
        0060 - 25 a6 6e 45 63 b4 63 04-35 fc b3 e9 30 f5 4a 7d   %.nEc.c.5...0.J}
        0070 - 09 86 6f c5 69 96 3d 44-dd 8c cd 5a 89 53 76 de   ..o.i.=D...Z.Sv.
        0080 - 31 1d 48 e0 c5 b2 ef b1-e9 15 e3 dc 88 eb 10 d2   1.H.............
        0090 - c7 0d b6 57 2a ed da 1e-2f d7 45 5d ad f5 fa 35   ...W*.../.E]...5
    
        Start Time: 1574022063
        Timeout   : 7200 (sec)
        Verify return code: 21 (unable to verify the first certificate)
        Extended master secret: no
    

    Firewall:

    Just to be sure about the ports - I tried from https://www.yougetsignal.com/tools/open-ports/ and can see when I at the same time on the mail server have following running :
    Code:
    tail -f /var/log/syslog
    I got this reply for port 25,110, 465, 587, 993 and 995
    Code:
    Nov 17 21:03:03 mail postfix/smtpd[31067]: connect from unknown[198.199.98.246]
    Nov 17 21:03:03 mail postfix/smtpd[31067]: lost connection after CONNECT from unknown[198.199.98.246]
    Nov 17 21:03:03 mail postfix/smtpd[31067]: disconnect from unknown[198.199.98.246]
    Nov 17 21:03:07 mail dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=198.199.98.246, lip=192.168.100.58, session=<R1BhKJGXVwDGx2L2>
    Nov 17 21:03:13 mail postfix/smtps/smtpd[31072]: connect from unknown[198.199.98.246]
    Nov 17 21:03:13 mail postfix/smtps/smtpd[31072]: SSL_accept error from unknown[198.199.98.246]: lost connection
    Nov 17 21:03:13 mail postfix/smtps/smtpd[31072]: lost connection after CONNECT from unknown[198.199.98.246]
    Nov 17 21:03:13 mail postfix/smtps/smtpd[31072]: disconnect from unknown[198.199.98.246]
    Nov 17 21:03:27 mail postfix/submission/smtpd[31073]: connect from unknown[198.199.98.246]
    Nov 17 21:03:27 mail postfix/submission/smtpd[31073]: lost connection after CONNECT from unknown[198.199.98.246]
    Nov 17 21:03:27 mail postfix/submission/smtpd[31073]: disconnect from unknown[198.199.98.246]
    Nov 17 21:03:32 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=198.199.98.246, lip=192.168.100.58, TLS handshaking: Disconnected, session=<febkKZGXlADGx2L2>
    Nov 17 21:03:36 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=198.199.98.246, lip=192.168.100.58, TLS handshaking: Disconnected, session=<yd4kKpGXNwDGx2L2>
    Hope that this can give an idea and maybe guide me on what I have missed or done wrong.
     
  15. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    On my e-mail servers setup with ISPConfig, SSL/TLS works after following the Perfect Server Guide and the Securing ISPConfig Tutorial by Ahrasis. I have not done anything special after that.
     
    ahrasis and DKLeader like this.
  16. DKLeader

    DKLeader Member

    Taleman - I gone through those 2 guides as well and must admit I cannot figure out why STARTTLS is the only part not working.
     
  17. Steini86

    Steini86 Active Member

    Well, your "openssl s_client -connect" command has shown that TLS1.2 is working (?) with ports 465, 993 and 995.
    However, there is something wrong with your certificate:
    Make sure you followed the guide on creating your certificate files.

    "grep smtpd_tls main.cf" should show you where the files are and should be something similar to:
    Code:
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
    smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
    smtpd_tls_eecdh_grade = strong
    smtpd_tls_ask_ccert = yes
    smtp_tls_key_file = $smtpd_tls_key_file
    smtp_tls_cert_file = $smtpd_tls_cert_file
    smtp_tls_CAfile = $smtpd_tls_CAfile
    Check that smtpd_tls_cert_file contains the full chain.
    And the files (in my case), depends on the guide you used:
    Code:
    ll smtpd*
    lrwxrwxrwx 1 root root 48 Okt 30  2017 smtpd.cert -> /etc/letsencrypt/live/mail.domain/fullchain.pem
    lrwxrwxrwx 1 root root 46 Okt 30  2017 smtpd.key -> /etc/letsencrypt/live/mail.domain/privkey.pem

    Does not look too good, some incompatibilities with OpenSSL versions ..
     

Share This Page