1

I've been having issues sending mail to my server, and there are indications of TLS errors (mostly from the maillog). What I've tried:

  • Ensuring that postfix / dovecot can read the certificates (made new group "certs") and tested (see below for postfix tests)
  • Ensured that there were no selinux alerts
  • openssl s_client -connect ${IP}:465 fails but port 443 works
  • nmap ${URL} shows ports 25,53,80,110,139,143,443,445,993,995 are all open
  • nmap ${LOCALIP} shows ports 22,25,80,110,143,443,993,995 as open with 465,587 closed.
  • telnet ${IP} 25 and running starttls (fails with 454 4.7.0 TLS not available due to local problem)
  • letsencrypt certificates are copied from a working haproxy server (all of /etc/letsencrypt is copied)
  • Resetting /etc/postfix/*.cf by moving them to *.cf.bak and reinstalling postfix

Additional notes:

  • I've been running ansible-hardening from https://github.com/openstack/ansible-hardening on the server.
  • The certificates are valid for https usage (verified with Firefox)
  • Tried sending email to server with gmail and sharklasers

Logs:

# cat /var/log/maillog
postfix/postfix-script: starting the Postfix mail system
postfix/master: daemon started -- version 2.10.1, configuration /etc/postfix
postfix/smtpd: warning: No server certs available. TLS won't be enabled
postfix/smtpd: connect from unknown[${IP}]

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = example.com
myhostname = webserver1.example.com
mynetworks = 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_client_restrictions = permit_mynetworks, reject
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

# doveconf -n
# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-693.21.1.el7.x86_64 x86_64 CentOS Linux release 7.4.1708 (Core)  xfs
auth_mechanisms = plain login
first_valid_uid = 1000
mail_location = maildir:/var/spool/mail/%u
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  driver = pam
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
}
ssl = required
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem
userdb {
  driver = passwd
}

# # Could replace cat/etc/postfix/main.cf with postconf -n
# sudo -u postfix cat $(cat /etc/postfix/main.cf | grep -i smtp_tls_cert_file | cut --delimiter="=" --fields=2)
-----BEGIN CERTIFICATE-----
...key text...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...key text...
-----END CERTIFICATE-----

# sudo -u postfix cat $(cat /etc/postfix/main.cf | grep -i smtp_tls_key_file | cut --delimiter="=" --fields=2)
-----BEGIN PRIVATE KEY-----
...private key text...
-----END PRIVATE KEY-----

# sealert -a /var/log/audit/audit.log
100% done
found 0 alerts in /var/log/audit/audit.log

Both openssl commands give effectively equivalent responses (port 443 has different response, and works).

$ openssl s_client -starttls smtp -connect ${IP}:587
$ openssl s_client -starttls smtp -connect ${IP/URL}:465
CONNECTED(00000003)
140495880024000:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1520878163
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

$ telnet ${IP} 25
Trying ${IP}...
Connected to ${IP}.
Escape character is '^]'.
220 webserver1.example.com ESMTP Postfix
ehlo localhost
250-webserver1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
starttls
454 4.7.0 TLS not available due to local problem
  • Your `postconf -n` and `doveconf -n` match my working setup (Debian 9) at least as far as references to the letsencrypt cert go. Stupid question - you did replace your domain name with example.com ? Only asking due to domain name in path to ssl certs, etc. – ivanivan Mar 12 '18 at 19:07
  • Yes. I replaced my actual domain name with example.com for this question to make it slightly more general. The actual files use the real domain name. –  Mar 12 '18 at 20:06

1 Answers1

1

Try changing the configuration of the smtp_tls_cert and smtp_tls_key to the following instead:

smtpd_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem

Notice the d in smtpd

http://www.postfix.org/TLS_README.html#server_cert_key

Andrew
  • 2,057
  • 2
  • 16
  • 25
  • Just tried the /tmp suggestion. It didn't work. –  Mar 12 '18 at 20:22
  • if there are errors with loading the cert files, it should be in one of the various mail logs. What do they show when loading postfix? – Andrew Mar 12 '18 at 20:23
  • The only maillog I'm aware of is `/var/log/maillog`, and the information from that is in the maillog in the question. Is there another one I should be looking at? –  Mar 12 '18 at 20:25
  • After looking at the log line again, I checked on your key/values, I've updated the answer to check this. – Andrew Mar 12 '18 at 20:35
  • It was the missing d -- I looked at the documentation, and the smtp`d`_... refers to the smtp daemon (server) and smtp_... refers to the client. Thanks. –  Mar 12 '18 at 20:37
  • For those reading this in the future, *add* the smtpd_tls_* lines, don't change smtp_tls->smtpd_tls (they are used to authenticate against servers like gmail). –  Mar 13 '18 at 20:11