Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
postfix tls error on port 587
405 views
Skip to first unread message
David Mehler
Oct 31, 2015, 12:05:46 PM10/31/15
to
Hello,
I'm running a FreeBSD 10.2 system, postfix 2.11.6, Openssl 1.0.1P. I'm
working on setting up a webmail client to my existing
Postfix/Dovecot/Mysql setup. I've tried two webmail clients both are
giving me the below errors when the webmail client (postfix dovecot
mysql the web server are all running on the same machine), atempts to
send mail through port 587. I am using port 587 because I've got
postscreen running on port 25.
I am using self-signed certificates via my own CA if that matters.
Here's the error:
Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: connect from localhost[::1]
Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error
from localhost[::1]: 0
Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS
library problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1300:SSL
alert number 48:
Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: lost connection
after STARTTLS from localhost[::1]
Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: disconnect from
localhost[::1]
I'm not sure the CA it's refering to. I do have my CA's public
certificate defined in smtpd_tls_CAfile and have the smtp client
defining smtp_tls_CAfile as the same file as the smtpd server.
Again not sure if this matters I'm running Apache 2.4 and Php 5.6.
I'd appreciate any suggestions.
Thanks.
Dave.
I'm running a FreeBSD 10.2 system, postfix 2.11.6, Openssl 1.0.1P. I'm
working on setting up a webmail client to my existing
Postfix/Dovecot/Mysql setup. I've tried two webmail clients both are
giving me the below errors when the webmail client (postfix dovecot
mysql the web server are all running on the same machine), atempts to
send mail through port 587. I am using port 587 because I've got
postscreen running on port 25.
I am using self-signed certificates via my own CA if that matters.
Here's the error:
Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: connect from localhost[::1]
Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error
from localhost[::1]: 0
Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS
library problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1300:SSL
alert number 48:
Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: lost connection
after STARTTLS from localhost[::1]
Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: disconnect from
localhost[::1]
I'm not sure the CA it's refering to. I do have my CA's public
certificate defined in smtpd_tls_CAfile and have the smtp client
defining smtp_tls_CAfile as the same file as the smtpd server.
Again not sure if this matters I'm running Apache 2.4 and Php 5.6.
I'd appreciate any suggestions.
Thanks.
Dave.
Viktor Dukhovni
Oct 31, 2015, 1:09:45 PM10/31/15
to
On Sat, Oct 31, 2015 at 12:05:29PM -0400, David Mehler wrote:
> I am using self-signed certificates via my own CA if that matters.
A certificate is either self-signed, or issued by a CA. Which is it?
> I am using self-signed certificates via my own CA if that matters.
> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error from localhost[::1]: 0
> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS library problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1300:SSL alert number 48:
TLS stack. It is the client does not trust the server certificate
and hangs up. The server just logs the client's reason for aborting
the connection.
> I'm not sure the CA it's refering to.
> I do have my CA's public
> certificate defined in smtpd_tls_CAfile and have the smtp client
> defining smtp_tls_CAfile as the same file as the smtpd server.
--
Viktor.
David Mehler
Oct 31, 2015, 3:35:42 PM10/31/15
to
Hello,
Thank you. I apologize, let me clarify my statement. I have created my
own CA on an offline machine which I use to sign all of my
certificates.
When you say the client doesn't trust the server certificate, that's
not the webmail, that's the submission service not trusting the
postfix ServerCertificate, ServerKey, and ServerCAfile options?
Thanks.
Dave.
Thank you. I apologize, let me clarify my statement. I have created my
own CA on an offline machine which I use to sign all of my
certificates.
When you say the client doesn't trust the server certificate, that's
not the webmail, that's the submission service not trusting the
postfix ServerCertificate, ServerKey, and ServerCAfile options?
Thanks.
Dave.
Viktor Dukhovni
Oct 31, 2015, 4:11:07 PM10/31/15
to
On Sat, Oct 31, 2015 at 03:35:14PM -0400, David Mehler wrote:
> Thank you. I apologize, let me clarify my statement. I have created my
> own CA on an offline machine which I use to sign all of my
> certificates.
Good, that removes ambiguity.
> Thank you. I apologize, let me clarify my statement. I have created my
> own CA on an offline machine which I use to sign all of my
> certificates.
> When you say the client doesn't trust the server certificate, that's
> not the webmail, that's the submission service not trusting the
> postfix ServerCertificate, ServerKey, and ServerCAfile options?
not trusting the certificate, and sending an alert to that effect,
which the server logs.
> >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error from
> >> localhost[::1]: 0
> >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS library
> >> problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
> >> ca:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1300:SSL
> >> alert number 48:
More light on this problem is shed in the client logs, rather than
the server logs.
--
Viktor.
David Mehler
Nov 1, 2015, 2:49:49 PM11/1/15
to
Hello,
Still stuck. I've got the below not sure if it helps, it does show
that on 143 and 587 client wise no peer is being sent or verified.
openssl s_client -starttls smtp -connect localhost:587
CONNECTED(00000003)
34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 220 bytes and written 332 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
openssl s_client -starttls smtp -connect localhost:587e :143
CONNECTED(00000003)
didn't found starttls in server response, try anyway...
34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 238 bytes and written 332 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Here's my postfix tls and sasl configuration:
main.cf:
# Dovecot sasl authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
#smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_sender_access hash:/usr/local/etc/postfix/safe_addresses
check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
check_client_access cidr:/usr/local/etc/postfix/spamfarms
check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
check_reverse_client_hostname_access pcre:/usr/local/etc/postfix/fqrdns.pcre
reject_unknown_reverse_client_hostname
reject_non_fqdn_sender
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
reject_unknown_helo_hostname
reject_unlisted_recipient
reject_rbl_client b.barracudacentral.org
reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com
reject_rbl_client bl.spamcop.net
reject_rbl_client cbl.abuseat.org
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
check_policy_service unix:private/spf-policy
# Postfix Quota status service
check_policy_service inet:127.0.0.1:12345
smtpd_data_restrictions = reject_unauth_pipelining
# TLS parameters
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtpd_tls_eecdh_grade = strong
# Offer opportunistic TLS (STARTTLS) to connections to this mail server.
#smtpd_tls_security_level = may
smtpd_tls_security_level = encrypt
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt
# for smtpd pfs
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_received_header = yes
# Use opportunistic TLS (STARTTLS) for outgoing mail if the remote
server supports it.
#smtp_tls_security_level = may
smtp_tls_security_level = encrypt
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_CAfile = /etc/ssl/certs/cacert.crt
Any help appreciated.
Still stuck. I've got the below not sure if it helps, it does show
that on 143 and 587 client wise no peer is being sent or verified.
openssl s_client -starttls smtp -connect localhost:587
CONNECTED(00000003)
34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 220 bytes and written 332 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
openssl s_client -starttls smtp -connect localhost:587e :143
CONNECTED(00000003)
didn't found starttls in server response, try anyway...
34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 238 bytes and written 332 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Here's my postfix tls and sasl configuration:
main.cf:
# Dovecot sasl authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
#smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_sender_access hash:/usr/local/etc/postfix/safe_addresses
check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
check_client_access cidr:/usr/local/etc/postfix/spamfarms
check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
check_reverse_client_hostname_access pcre:/usr/local/etc/postfix/fqrdns.pcre
reject_unknown_reverse_client_hostname
reject_non_fqdn_sender
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
reject_unknown_helo_hostname
reject_unlisted_recipient
reject_rbl_client b.barracudacentral.org
reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com
reject_rbl_client bl.spamcop.net
reject_rbl_client cbl.abuseat.org
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
check_policy_service unix:private/spf-policy
# Postfix Quota status service
check_policy_service inet:127.0.0.1:12345
smtpd_data_restrictions = reject_unauth_pipelining
# TLS parameters
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtpd_tls_eecdh_grade = strong
# Offer opportunistic TLS (STARTTLS) to connections to this mail server.
#smtpd_tls_security_level = may
smtpd_tls_security_level = encrypt
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt
# for smtpd pfs
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_received_header = yes
# Use opportunistic TLS (STARTTLS) for outgoing mail if the remote
server supports it.
#smtp_tls_security_level = may
smtp_tls_security_level = encrypt
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_CAfile = /etc/ssl/certs/cacert.crt
Any help appreciated.
Viktor Dukhovni
Nov 1, 2015, 6:07:13 PM11/1/15
to
On Sun, Nov 01, 2015 at 02:49:20PM -0500, David Mehler wrote:
> Still stuck. I've got the below not sure if it helps, it does show
> that on 143 and 587 client wise no peer is being sent or verified.
>
> openssl s_client -starttls smtp -connect localhost:587
> CONNECTED(00000003)
> 34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
The thing on port 587 is not speaking any recognizable form of TLS.
> Still stuck. I've got the below not sure if it helps, it does show
> that on 143 and 587 client wise no peer is being sent or verified.
>
> openssl s_client -starttls smtp -connect localhost:587
> CONNECTED(00000003)
> 34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
Logs from the peer would be quite useful in this context.
> openssl s_client -starttls smtp -connect localhost:143
> CONNECTED(00000003)
Well, port 143 speaks IMAP not SMTP so "starttls smtp" is not
likely to get far for that port.
> # TLS parameters
> smtpd_tls_auth_only = yes
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
> MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
> CBC3-SHA
smtpd_tls_ciphers = medium
instead.
> smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
> MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
> CBC3-SHA
> Any help appreciated.
Logs.
--
Viktor.
David Mehler
Nov 1, 2015, 7:07:06 PM11/1/15
to
Hi,
Thanks. The only thing I have in the maillog is a connection made, tls
established, then the connection is dropped.
Thanks.
Dave.
Thanks. The only thing I have in the maillog is a connection made, tls
established, then the connection is dropped.
Thanks.
Dave.
Viktor Dukhovni
Nov 1, 2015, 7:16:56 PM11/1/15
to
On Sun, Nov 01, 2015 at 07:06:42PM -0500, David Mehler wrote:
> Thanks. The only thing I have in the maillog is a connection made, tls
> established, then the connection is dropped.
Not possible. Those logs don't match the report of a failed SSL
> Thanks. The only thing I have in the maillog is a connection made, tls
> established, then the connection is dropped.
connection on the client side.
--
Viktor.
David Mehler
Nov 1, 2015, 8:09:08 PM11/1/15
to
Hello,
Thanks. Don't ask me how, but flipping the tls protocols from the list
I had to high and now the 587 works. Imap on 143 still won't, but
that's not for this list. The point is for the moment it is working.
Thanks for all your help.
Thanks. Don't ask me how, but flipping the tls protocols from the list
I had to high and now the 587 works. Imap on 143 still won't, but
that's not for this list. The point is for the moment it is working.
Thanks for all your help.
Viktor Dukhovni
Nov 2, 2015, 9:54:09 AM11/2/15
to
On Sun, Nov 01, 2015 at 08:08:46PM -0500, David Mehler wrote:
> Thanks. Don't ask me how, but flipping the tls protocols from the list
> I had to high and now the 587 works.
No idea what that means, but so long as you're satisfied...
> Thanks. Don't ask me how, but flipping the tls protocols from the list
> I had to high and now the 587 works.
--
Viktor.
0 new messages