[BlueOnyx:26512] Re: [EXTERNAL] Re: SSL error when receiving mail from GMAIL

Sun Sep 24 10:51:05 -05 2023

Hi Michael,

Vsite web- and mailserver aliases are www.ceelie.info<http://www.ceelie.info>, ceelie.info and mail.ceelie.info.
I've selected those three in the LetsEncrypt! module.
As for the hosting DNS, these are the settings.

Subdomein       Type    Prio    TTL     Adres
1
@
NS              3600    ns1.argewebhosting.eu
2
@
NS              3600    ns2.argewebhosting.com
3
@
NS              3600    ns3.argewebhosting.nl
4
mail
MX
5
@
MX
6
www
MX
7
www
A
8
mail
A
9
@
A
10
*
A
11
@
TXT
When trying  openssl s_client -starttls smtp -connect <servername>:<port>, all three servernames/domains fail for port 25 and 587. Port 443 gives a CONNECTED(00000003). Nothing more.

C2 VodafoneZiggo Internal

________________________________
From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> on behalf of Michael Stauber via Blueonyx <blueonyx at mail.blueonyx.it>
Sent: Saturday, 23 September 2023 20:22
To: blueonyx at mail.blueonyx.it <blueonyx at mail.blueonyx.it>
Subject: [EXTERNAL] [BlueOnyx:26507] Re: SSL error when receiving mail from GMAIL

Hi Arie,

> Addressed this issue some time ago. I tried LetsEncrypt and it works
> flawless on port 443, but how do I set it for port 25?
>
> Error log:
>
> Sep 23 18:57:19 www postfix/smtpd[249156]: connect from
> mail-yw1-f175.google.com[209.85.128.175]
>
> Sep 23 18:57:19 www postfix/smtpd[249156]: TLS SNI ceelie.info from
> mail-yw1-f175.google.com[209.85.128.175] not matched, using default chain

The Google mailserver established an SMTP TLS connection to
"ceelie.info". This is not the name of your BlueOnyx itself, so if at
all, then Postfix would serve the TLS request using the SNI certificates
that may (or may not) exist for your server.

For starters: Check /etc/postfix/vsite_ssl.map to see if there is a line
starting with "ceelie.info" in it. If not, then you may not have
configured SSL correctly for that Vsite in question.

To troubleshoot this go to the Vsite of which "ceelie.info" is part of,
click on "SSL", click on the button "Let's Encrypt" and see if
"ceelie.info" is listed under "SSL domain aliases". It *should* be
listed on the lefthand side of that table, in which case it will be
included in the validity of the requested SSL certificate as a DNS Alias.

In your case "ceelie.info" wasn't a valid SSL SNI host, so no SSL
certificate was served. In fact it seems that "ceelie.info" seems to use
a self signed certificate at this time? If so, then yeah: That won't fly.

> Sep 23 18:57:19 www postfix/smtpd[249156]: SSL_accept error from
> mail-yw1-f175.google.com[209.85.128.175]: -1
>
> Sep 23 18:57:19 www postfix/smtpd[249156]: warning: TLS library problem:
> error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared
> cipher:ssl/statem/statem_srvr.c:2285:

The SSL connection then failed, because of the missing certificate
and/or incompatibility of shared protocols.

> Sep 23 18:57:19 www postfix/smtpd[249156]: lost connection after
> STARTTLS from mail-yw1-f175.google.com[209.85.128.175]

And that's where Google hung up on you, ending the connection after
having found no common grounds to establish a TLS connection.

To cover all the bases, do this: In the GUI of that Vsite check that
"celie.info" is present as a "Web Server Alias" as well as a "Email
Server Alias". Make sure you have DNS A Records and DNS MX Records for it.

Then as mentioned: Under SSL management of that Vsite under "Let's
Encrypt" include all "SSL domain aliases" you want active in the
Certificate request and request a new SSL certificate.

That will then create a new SSL certificate and it will be integrated
into the SNI configuration of Dovecot and Postfix.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20230924/7e5dcc2c/attachment.html>