[Solved] Update to 3.2 > Incoming mails bouncing > reinstall postfix+amavisd > F. :/

Discussion in 'General' started by niemand-glaumy, Oct 25, 2020.

  1. Using Ubuntu 18.04. ISPC was installed guided by TPS. Sorry, I'll need a walk-through.

    As readable in this thread, I had an issue after updating to 3.2. Issue was that all incoming mails bounced from all accounts. Follwing advice lead to errors disappearing but problem staying. The issue changed after a reinstall to being not able to connect to it via Thunderbird at all.

    > Last things I did was purging postfix + amavisd and reinstalling it guided by TPS again. Then reconfiguring ISPC.

    I also enabled -verbose/debug logging on several lines in master.cf:
    Code:
    #
    # Postfix master process configuration file.  For details on the format
    # of the file, see the master(5) manual page (command: "man 5 master" or
    # on-line: http://www.postfix.org/master.5.html).
    #
    # Do not forget to execute "postfix reload" after editing this file.
    #
    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (no)    (never) (100)
    # ==========================================================================
    smtp      inet  n       -       y       -       -       smtpd -v
    #smtp      inet  n       -       y       -       1       postscreen
    #smtpd     pass  -       -       y       -       -       smtpd
    #dnsblog   unix  -       -       y       -       0       dnsblog
    #tlsproxy  unix  -       -       y       -       0       tlsproxy
    submission inet n       -       y       -       -       smtpd -v
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_tls_auth_only=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o smtpd_reject_unlisted_recipient=no
    [...]
    #  -o milter_macro_daemon_name=ORIGINATING
    smtps     inet  n       -       y       -       -       smtpd -v
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #  -o smtpd_reject_unlisted_recipient=no
    [...]
    Weird for me is the line
    Code:
    #  -o smtpd_tls_auth_only=yes
    which isn't present in the TPS. I tried it un- and commented which didn't change the result.

    mail.err has a lot of
    Code:
    Oct 24 23:03:21 web postfix/smtpd[44753]: fatal: no SASL authentication mechanisms
    everything above those errors is from before the reinstall.

    Edit: Here's the mail.log from ISPConfig. I am sure there's more inside the file itself, tell me if it's required: https://pastebin.com/DwuCnaHs
     
    Last edited: Oct 25, 2020
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    TPS = The Perfect Server tutorial?

    There is indeed a new default config for Postfix that differs from the Perfect Server guide, but your master.cf seems good to me.

    From your logs, I see that there is no cert for Postfix, so it disables TLS. I think the best thing to do is create one that's trusted aswell, following this guide: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
    (Note: I did this a little bit different by creating a separate cert for Postfix and Dovecot instead of using the same as the interface. See this comment if you want to do that: https://www.howtoforge.com/communit...topped-sending-email.85381/page-2#post-410370

    (cc @ahrasis maybe we can update the tutorial so more people can use this? if you agree on my method ofcourse :))
     
    niemand-glaumy likes this.
  3. Steini86

    Steini86 Active Member

    Isn't a letsencrypt certificate creation for the web included in ISPC 3.2? This should then also be used for postfix/dovecot/etc... Might be time for a new guide ;-)

    As @Th0m said, your problem is
    Code:
    Oct 24 23:24:49 web postfix/smtps/smtpd[48247]: warning: TLS library problem: error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:290:fopen('/etc/postfix/smtpd.cert','r'):
    (By the way: you can search in your logfile for "error". This is usually a good hint about what is wrong)
     
    niemand-glaumy likes this.
  4. ahrasis

    ahrasis Well-Known Member

    @Th0m, I have no objection for any update etc. The tutorial was originally taken from a concise forum post that is limited to 10k.

    Yes. I agree with @Steini86 thay ISPConfig 3.2 should already cover the issuance of LE SSL certs for postfix and dovecot.

    I also noted the rise of mail system failure or error questions related to 3.2 but I am not really familiar with mail server that much.
     
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Yes, it is, and iirc you are asked if you want to use it for postfix/dovecot aswell. But if you want a separate cert for your email services (e.g. for ISPConfig you want a cert for just panel.example.com and for email smtp.example.com, imap.example.com and pop3.example.com), you have to do this manually. I personally prefer a separate cert.

    We should update the guide anyways, to describe the new function. Maybe I will do this later...
     
    niemand-glaumy likes this.
  6. Yes.

    I ran through "Using The Same Let's Encrypt SSL Certs For Other Major Services" a and b, as well as through "Create Auto Renewal Script For Your ISPConfig Pem File (ispserver.pem)".

    I now encounter the issue of Thunderbird telling me my certificate is not signed for the correct domain (connecting to mail.domainTWO.tld). When looking at it, it shows me alternate DNS names for "discord.domainONE.tld", "domainONE.tld", "forum.domainONE.tld", but not any of the others. Those might require their own cert, you got another link for me?

    "grep error /var/log/mail.log":
    Code:
    Oct 25 13:51:13 web postfix/smtpd[2471]: warning: 16.179.2.198.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=16.179.2.198.zen.spamhaus.org type=A: Host not found, try again
    Oct 25 13:51:32 web postfix/smtps/smtpd[3232]: SSL_accept error from unknown[185.244.41.12]: -1
    Oct 25 13:51:32 web postfix/smtps/smtpd[3232]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2253:
    Oct 25 13:51:33 web postfix/submission/smtpd[5502]: SSL_accept error from unknown[185.244.41.12]: -1
    Oct 25 13:51:33 web postfix/submission/smtpd[5502]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2253:
    Oct 25 13:51:53 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=own.ip.censored, lip=ser.ver.ip.censored, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<4kLGHX+ycu8+WyI6>
    Oct 25 13:59:06 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=own.ip.censored, lip=ser.ver.ip.censored, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<fS6MN3+yt/A+WyI6>
    Oct 25 13:59:33 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=own.ip.censored, lip=ser.ver.ip.censored, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<xlczOX+yyvA+WyI6>
    Oct 25 14:01:50 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=own.ip.censored, lip=ser.ver.ip.censored, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<azpdQX+yK/E+WyI6>
    Oct 25 14:03:58 web dovecot: imap-login: Disconnected (no auth attempts in 3 secs): user=<>, rip=2.247.253.178, lip=ser.ver.ip.censored, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<eBX/SH+yl4EC9/2y>
    Oct 25 14:04:00 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=2.247.253.178, lip=ser.ver.ip.censored, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<EsQWSX+ym6gC9/2y>
    Oct 25 14:04:16 web dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2.247.253.178, lip=ser.ver.ip.censored, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<nTkPSn+yRaoC9/2y>
    Oct 25 14:06:39 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=own.ip.censored, lip=ser.ver.ip.censored, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<FaCYUn+y+/E+WyI6>
    Oct 25 14:06:41 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=own.ip.censored, lip=ser.ver.ip.censored, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<CC6rUn+y/fE+WyI6>
    Oct 25 14:06:43 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=own.ip.censored, lip=ser.ver.ip.censored, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<v2HPUn+yBPI+WyI6>
    Oct 25 14:06:52 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=own.ip.censored, lip=ser.ver.ip.censored, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<sEFXU3+yCvI+WyI6>
    Oct 25 14:09:26 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=own.ip.censored, lip=ser.ver.ip.censored, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<i/2EXH+yd/I+WyI6>
    Oct 25 14:11:50 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=own.ip.censored, lip=ser.ver.ip.censored, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<PqwgZX+y5vI+WyI6>
    Oct 25 14:16:02 web postfix/smtpd[2722]: warning: 126.104.181.185.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=126.104.181.185.zen.spamhaus.org type=A: Host not found, try again
    Oct 25 14:17:56 web dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=own.ip.censored, lip=ser.ver.ip.censored, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<Jfvnen+yGcw+WyI6>
    Oct 25 14:17:56 web dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=own.ip.censored, lip=ser.ver.ip.censored, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<rbfoen+yGsw+WyI6>
    According to mail.log there's also an IP from Iran (I'm quite sure it didn't change in the last one/two days) spamming me with connection trials several times a minute. Can I stop/ban that easily by any chance? :)
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I have it setup like this:
    Postfix and dovecot use the same cert, which is valid for imap.example.com, smtp.example.com, pop3.example.com and mx1.example.com. example.com is the domain for my hosting services.

    All clients connect to those domains with their email clients, instead of mail.clientdomain.com or imap.clientdomain.com. I recommend doing the same.

    However, if you want to add additional domains to the certificate anyway, all you have to do is add a aliasdomain to the website that you use to get the certificate for your email server. So if you want mail.clientdomain.com to be seen as trusted, add it as alias domain to the website. If everything is correctly set up, a new certificate will be issued and copied automatically to be used for postfix and dovecot.
     
  8. Alright. I'm near my wits end.
    Code:
    Oct 28 00:03:39 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=80.82.77.232, lip=server.IP.censored, session=<tL1G5a+yKvdQUk3o>
    Oct 28 00:03:39 web dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=80.82.77.232, lip=server.IP.censored, session=<mMVG5a+yCvJQUk3o>
    Oct 28 00:05:02 web dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<hT496q+yRNUAAAAAAAAAAAAAAAAAAAAB>
    Oct 28 00:05:02 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<D1496q+ySuAAAAAAAAAAAAAAAAAAAAAB>
    Oct 28 00:05:18 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=my.IP.censored, lip=server.IP.censored, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<wZQs66+yFcw+WyI6>
    Oct 28 00:05:18 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=212.144.107.142, lip=server.IP.censored, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<44Au66+ysp3UkGuO>
    Oct 28 00:05:18 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=212.144.107.142, lip=server.IP.censored, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<eKQw66+yd8/UkGuO>
    Oct 28 00:05:18 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=212.144.107.142, lip=server.IP.censored, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<eU4066+yXOrUkGuO>
    Oct 28 00:05:18 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=212.144.107.142, lip=server.IP.censored, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<6yI166+yOeLUkGuO>
    Oct 28 00:05:18 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=212.144.107.142, lip=server.IP.censored, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<Bw8266+yXszUkGuO>
    Oct 28 00:05:19 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=my.IP.censored, lip=server.IP.censored, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<cLI866+yFsw+WyI6>
    Oct 28 00:09:18 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=my.IP.censored, lip=server.IP.censored, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<IHp9+a+yjsw+WyI6>
    Oct 28 00:09:58 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=my.IP.censored, lip=server.IP.censored, TLS handshaking: SSL_accept() syscall failed: Success, session=<j3Hg+6+ypsw+WyI6>
    Oct 28 00:09:58 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=my.IP.censored, lip=server.IP.censored, TLS handshaking: SSL_accept() syscall failed: Success, session=<CHvg+6+yp8w+WyI6>
    Oct 28 00:10:01 web dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<tAoU/K+yWtUAAAAAAAAAAAAAAAAAAAAB>
    Oct 28 00:10:01 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<2kYU/K+yYOAAAAAAAAAAAAAAAAAAAAAB>
    Oct 28 00:10:21 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=my.IP.censored, lip=server.IP.censored, TLS handshaking: SSL_accept() syscall failed: Success, session=<vPpG/a+yssw+WyI6>
    Oct 28 00:12:38 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=my.IP.censored, lip=server.IP.censored, TLS handshaking: SSL_accept() syscall failed: Success, session=<AJ1sBbCy9cw+WyI6>
    Oct 28 00:15:02 web dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<+e/8DbCycNUAAAAAAAAAAAAAAAAAAAAB>
    Oct 28 00:15:02 web dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<gyv9DbCyduAAAAAAAAAAAAAAAAAAAAAB>
    
    Well, I was before but whatever I do changes the error to something I understand less. My smtp. and imap. subdomains are listed in the cert when I check them in my browser and I redid the TPS, the update 3.1 to 3.2 and the SSL-tutorials several times now.

    I would do a complete reinstall (maybe even to Ubuntu 20.04) if I wouldn't have the feeling this made me lose all settings and data. Again. Not that I didn't already backUp my mail folders in thunderbird. :p
    I deleted all certs in thunderbird, thunderbird's loading itself to death on getMail() now. :D

    I see where the backUps are. Is there a walkthrough for a rollback? I couldn't find one in tutorials.
     
  9. Steini86

    Steini86 Active Member

    Don't worry, its not so bad.
    1. Get a valid (letsencrypt) certificate for the domain in /etc/mailname
    2. Make sure the certificate is in /etc/postfix/smtpd.key and smtpd.cert (for example by symlink, should already be done)
    3. Choose your software (postfix) and your needed clients (intermediate or old) here: https://ssl-config.mozilla.org/#ser...fig=intermediate&openssl=1.1.1d&guideline=5.6
    4. Change your main.cf (these lines should already be there) to the settings of the website above, adjust these 3 lines to:
      Code:
      smtpd_tls_key_file = ${config_directory}/smtpd.key
      smtpd_tls_cert_file = ${config_directory}/smtpd.cert
      smtpd_tls_dh1024_param_file = ${config_directory}/ffdhe4096.pem
    5. Execute "curl https://ssl-config.mozilla.org/ffdhe4096.txt > /etc/postfix/ffdhe4096.pem
    6. Restart postfix
    7. Tell all your clients to connect to the domain in "/etc/mailname" (the domain for which you have the certificate)
     
    ahrasis and Th0m like this.
  10. I started by doing this:
    Code:
    cd /etc/postfix/
    mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
    mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
    ln -s /etc/letsencrypt/live/domainONE.tld/fullchain.pem smtpd.cert
    ln -s /etc/letsencrypt/live/domainONE.tld/privkey.pem smtpd.key
    systemctl restart postfix
    systemctl restart dovecot
    This made sure my domain certs AND my mailcerts where the same. I also added hostname (web.domainONE.tld) to alias domains.


    Check. Opening it in firefox displays a valid cert.

    Check.

    Check, had to add a few protocolthings (SSLv3, andsoon, two entries were missing.).

    Check.

    Check.

    Reboot. Check.

    Didn't work yet, had an issue of "Do not use your domains in mydestination and virtual domains!" or something which I fixed by removing the domains in the mydestination line. Can't remember putting them there... Nevermind, Reboot.

    Didn't work, got a (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused) which led me to this: https://www.howtoforge.com/communit...0-1-127-0-0-1-10026-connection-refused.78850/ for which I required this: https://www.howtoforge.com/communit...-3-2-can-not-receive-mails.85418/#post-410644 and now it seems to work. For both domains. Let's see what my "clients"/friends say. :)

    Thanks for all of your patience and help! <3
     
    ahrasis and Steini86 like this.
  11. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Glad to hear it is resolved for you!

    One thing, I would not enable SSLv3 as this is insecure, and usually not needed.

    By the way, you can always view your mailserver certificate with a service like https://ssl-tools.net/mailservers
     
    ahrasis and niemand-glaumy like this.

Share This Page