[BlueOnyx:26514] Re: [EXTERNAL] Re: SSL error when receiving mail from GMAIL

Sun Sep 24 11:33:45 -05 2023

Hi Arie,

> Vsite web- and mailserver aliases are www.ceelie.info 
> <http://www.ceelie.info>, ceelie.info and mail.ceelie.info.
> I've selected those three in the LetsEncrypt! module.

Very well. But why does ...

https://www.ceelie.info/
https://mail.ceelie.info/
https://ceelie.info/

... bring up a webpage(s) with a self-signed certificate?

See: 
https://www.ssllabs.com/ssltest/analyze.html?d=ceelie.info&hideResults=on&ignoreMismatch=on&latest

> As for the hosting DNS, these are the settings.

Take a look at this: https://www.blueonyx.it/dns-for-email

The righthand side of the DNS MX records (where it points to) must the 
the FQDN of the Vsite as shown in the Vsite List.

So in your case that should be "www.ceelie.info" and not just 
"ceelie.info". The reason for this is how Sendmail/Postfix match the 
email aliases to local user accounts.

Here is a third party site for checking TLS:

https://www.checktls.com/

When I try it against a correctly configured 5210R or 5211R it checks 
out just fine.

When I test it against admin at ceelie.info it errors out because you have 
a self-signed SSL certificate in your certificate chain:

--------------------------------------------------------------
-----END CERTIFICATE-----
subject=C = NL, L = Leiden, O = Ceelie, CN = mail.ceelie.info, 
emailAddress = elpadre at ceelie.info
issuer=C = NL, L = Leiden, O = Ceelie, CN = mail.ceelie.info, 
emailAddress = elpadre at ceelie.info
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2438 bytes and written 426 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate) <--- !!!!!
--------------------------------------------------------------

Make sure the GUI of the BlueOnyx has a valid SSL certificate (Let's 
Encrypt or other), too. Because in an SNI environment the GUI cert is 
the first certificate in the SNI certificate chain.

So I see three issues:

- DNS best practices for BlueOnyx not followed
- BlueOnyx GUI has no valid SSL certificate
- Vsite itself seems to have a self-signed certificate

 > When trying ...
 >
 > openssl s_client -starttls smtp -connect <servername>:<port>
 >
 > ... all three servernames/domains fail for port 25 and 587.
 > Port 443 gives a CONNECTED(00000003). Nothing more.

Yes, because that OpenSSL client command has the option "-starttls smtp" 
for checking SMTP specifically.

Use this to check the web based TLS:

openssl s_client -connect <URL-or-IP>:443

Or this to check the GUI HTTPS:

openssl s_client -connect <URL-or-IP>:81

I'm not sure what you're doing there, but either you're not supplying 
the correct information and the Vsite name is different than 
"www.ceelie.info" and/or you're not following the instructions and best 
practices for BlueOnyx.

If you want, contact me offlist and/or supply a "Support Request" via 
the GUI with "Allow access" ticked and I'll take a look directly at the 
server.

-- 
With best regards

Michael Stauber