[BlueOnyx:26507] Re: SSL error when receiving mail from GMAIL

Michael Stauber mstauber at blueonyx.it
Sat Sep 23 13:22:45 -05 2023 

Hi Arie,

> Addressed this issue some time ago. I tried LetsEncrypt and it works 
> flawless on port 443, but how do I set it for port 25?
> 
> Error log:
> 
> Sep 23 18:57:19 www postfix/smtpd[249156]: connect from 
> mail-yw1-f175.google.com[209.85.128.175]
> 
> Sep 23 18:57:19 www postfix/smtpd[249156]: TLS SNI ceelie.info from 
> mail-yw1-f175.google.com[209.85.128.175] not matched, using default chain

The Google mailserver established an SMTP TLS connection to 
"ceelie.info". This is not the name of your BlueOnyx itself, so if at 
all, then Postfix would serve the TLS request using the SNI certificates 
that may (or may not) exist for your server.

For starters: Check /etc/postfix/vsite_ssl.map to see if there is a line 
starting with "ceelie.info" in it. If not, then you may not have 
configured SSL correctly for that Vsite in question.

To troubleshoot this go to the Vsite of which "ceelie.info" is part of, 
click on "SSL", click on the button "Let's Encrypt" and see if 
"ceelie.info" is listed under "SSL domain aliases". It *should* be 
listed on the lefthand side of that table, in which case it will be 
included in the validity of the requested SSL certificate as a DNS Alias.

In your case "ceelie.info" wasn't a valid SSL SNI host, so no SSL 
certificate was served. In fact it seems that "ceelie.info" seems to use 
a self signed certificate at this time? If so, then yeah: That won't fly.

> Sep 23 18:57:19 www postfix/smtpd[249156]: SSL_accept error from 
> mail-yw1-f175.google.com[209.85.128.175]: -1
> 
> Sep 23 18:57:19 www postfix/smtpd[249156]: warning: TLS library problem: 
> error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared 
> cipher:ssl/statem/statem_srvr.c:2285:

The SSL connection then failed, because of the missing certificate 
and/or incompatibility of shared protocols.

> Sep 23 18:57:19 www postfix/smtpd[249156]: lost connection after 
> STARTTLS from mail-yw1-f175.google.com[209.85.128.175]

And that's where Google hung up on you, ending the connection after 
having found no common grounds to establish a TLS connection.

To cover all the bases, do this: In the GUI of that Vsite check that 
"celie.info" is present as a "Web Server Alias" as well as a "Email 
Server Alias". Make sure you have DNS A Records and DNS MX Records for it.

Then as mentioned: Under SSL management of that Vsite under "Let's 
Encrypt" include all "SSL domain aliases" you want active in the 
Certificate request and request a new SSL certificate.

That will then create a new SSL certificate and it will be integrated 
into the SNI configuration of Dovecot and Postfix.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list