Author Topic: smtpauth not working for me.  (Read 5496 times)

0 Members and 2 Guests are viewing this topic.

Offline
***
smtpauth not working for me.
« on: December 07, 2021, 12:23:19 AM »
I have a problem using smtpauth from my ecommerce platform.

If I use mail.lakeservers.com I get an error:

Quote
warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1544:SSL alert number 45:

If I use the server server.companiondriver.com  I get no error.  What is different about the two certs?
Listen to everything Pixelpadre says.

Offline
***
Re: smtpauth not working for me.
« Reply #1 on: December 07, 2021, 11:26:06 AM »
I have a problem using smtpauth from my ecommerce platform.

If I use mail.grannydriver.com I get an error:

Quote
warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1544:SSL alert number 45:

If I use the server server.companiondriver.com  I get no error.  What is different about the two certs?

Edited to reflect grannydriver instead of lakeservers.
Listen to everything Pixelpadre says.

Offline
***
Re: smtpauth not working for me.
« Reply #2 on: December 07, 2021, 12:18:10 PM »
From postfix/main.cf:

# network settings
inet_interfaces = all
mydomain = yourdomain.com <--------------- does this matter? Seems like YES!
myhostname = server.companiondriver.com
mynetworks = $config_directory/mynetworks
mydestination = $myhostname = server.companiondriver.com
relay_domains = proxy:mysql:/etc/postfix/mysql-relay_domains_maps.cf
Listen to everything Pixelpadre says.

Offline
***
Re: smtpauth not working for me.
« Reply #3 on: December 09, 2021, 11:28:12 PM »
Your server is responding with domain "www.grannydriver.com", not "mail.grannydriver.com":

Code: [Select]
# openssl s_client -crlf -servername mail.grannydriver.com -connect mail.grannydriver.com:465
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.grannydriver.com
verify return:1
---
Certificate chain
 0 s:/CN=www.grannydriver.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVTCCBD2gAwIBAgISAy1c+T30Hq0QxG1AgMrf/eb2MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEyMDYxMzI2NDVaFw0yMjAzMDYxMzI2NDRaMB8xHTAbBgNVBAMT
FHd3dy5ncmFubnlkcml2ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA5LJVpmxdDxioBXUQs3CHZEHvrHK1iHgyZ3NDj2XMdNBkae1TroZgEiJH
nb4wo2XRfCYlZu4iLCmd86sjnwO8xjI4VLQylvoKAYBllWgXUy9sc7nRYNo5pWiP
fKshcAjyeHtIkfX9KFYnpBQqqGdgk+QPnZG89OPAZdhmasl0airdvZ3BR1KFpEDH
9oEzOIN9lZxCuOTxAdUzbhDzI9svMwi6/NVHKEeNS/+5pO05tvCRZ7D41miDx62g
Fu5ayg+i3JtrucpLIMp6Vxd3koh6sN9Roq3QoZuCUU07Bs9UE7aYFpUcxeRclcu1
B/ZATL6D4UK3YrkxaAS+BAmVXOt1BQIDAQABo4ICdjCCAnIwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBS1wiCY1ZdYvJu2oG9RJPJVtEP0CjAfBgNVHSMEGDAWgBQULrMX
t1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0
dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVu
Y3Iub3JnLzBIBgNVHREEQTA/ghBncmFubnlkcml2ZXIuY29tghVtYWlsLmdyYW5u
eWRyaXZlci5jb22CFHd3dy5ncmFubnlkcml2ZXIuY29tMEwGA1UdIARFMEMwCAYG
Z4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMu
bGV0c2VuY3J5cHQub3JnMIIBAgYKKwYBBAHWeQIEAgSB8wSB8ADuAHUAQcjKsd8i
RkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvYAAAF9kCPPlQAABAMARjBEAiBkbDdF
4bK2bsm5rbZR4gBM7R5piXWC3RC3FVMXhBsGzgIgaOgWnvdAOKUWgzZvSgt9gtE/
3WrpA8ujgFvx69acX8oAdQApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3H
hAAAAX2QI8+IAAAEAwBGMEQCIB+R6SC4K8ZnaLx2bfXgUR7cSF7tuSv/OlEGiO25
hXi1AiBZz/CWruKNuk1t1wzFRAFwimFwxMa15syTkLg2RKawQzANBgkqhkiG9w0B
AQsFAAOCAQEAgEtCO6DqfOVGCXueRtj3+6qfsL7xqPcsFn/yXDV1pronetiHpHMr
hzew5C81guGslzHtLaMHbh6DGGE4hkdYgfGn7NF9EQ4DHO1muuvoJGeFef8SJOln
DRq2CY+qlgPct0uhuJAwGP6tpssr6KGD3Lnkd2qFcOa7dDVmzTelLQeJ1wBIZwYo
HCJv+VhIEzBxNBuNf+UJjtGWbJGYhz/bcAUf4w+Kc1/1ED5na2w2jeTW6wnAAq/O
QSulyYBEtVakt4D0jGkATrFf0C3yFMuBQkm37PGxVPFiF59wh4gqjinRwM88zNub
u6A9Nlxi6yyqpGLVUUqO93bmmDb7yCRIpw==
-----END CERTIFICATE-----
subject=/CN=www.grannydriver.com
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4751 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 521A1C63857F51F18148ECE661E290716C20E600C947D8FDA9F4FAA12FEB89CD
    Session-ID-ctx:
    Master-Key: 8F4BA1D0A7D47069BB9A1E006D4C5BDE7A2EFEF24022042038EDFD49DF272B53A4676C66407D018E3C2D76D593E2ED21
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - b7 51 6e e1 c0 5b 8e 4a-92 3d 84 6d ec be f2 fb   .Qn..[.J.=.m....
    0010 - be 9f 39 4e 6c 15 70 93-a5 e3 59 32 cb f9 fa bc   ..9Nl.p...Y2....
    0020 - 51 d6 8c 21 88 64 da d8-1d bc f3 02 d9 6d f5 bc   Q..!.d.......m..
    0030 - 90 62 d0 a6 f9 03 52 c5-c3 b1 b5 30 37 68 e2 f3   .b....R....07h..
    0040 - 6d 39 97 f8 b2 51 ab 20-4e c0 99 2d b2 61 32 7b   m9...Q. N..-.a2{
    0050 - 0e a1 2a ad 66 8e 83 1b-08 5c d2 e3 99 69 0b 03   ..*.f....\...i..
    0060 - 66 fc d1 fb d0 a2 33 c9-47 27 d1 da 2f 4a a6 11   f.....3.G'../J..
    0070 - fa a0 59 4c 0e 5f 41 dd-80 cc f5 a8 c0 bc e3 74   ..YL._A........t
    0080 - 7a 31 44 96 94 4b b5 29-cf e4 0c 4b ad 58 af f7   z1D..K.)...K.X..
    0090 - a3 68 4d 2a 40 2a d4 d2-57 99 38 e0 8c d1 c1 d7   .hM*@*..W.8.....
    00a0 - 72 28 20 67 8c ca ff 68-68 ab 01 be 48 80 9c 44   r( g...hh...H..D
    00b0 - c1 b6 49 12 bb 99 9a 81-8e b5 85 de 9e 57 e2 b1   ..I..........W..

    Start Time: 1639091792
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
220 server.companiondriver.com ESMTP Postfix
quit
221 2.0.0 Bye
closed

This suggests that you need to configure a additional certificate, for "mail.grannydriver.com", in addition to other domains you use.

Regards,
Netino

Offline
***
Re: smtpauth not working for me.
« Reply #4 on: December 14, 2021, 11:07:20 AM »
Your server is responding with domain "www.grannydriver.com", not "mail.grannydriver.com":

Code: [Select]
# openssl s_client -crlf -servername mail.grannydriver.com -connect mail.grannydriver.com:465
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.grannydriver.com
verify return:1
---
Certificate chain
 0 s:/CN=www.grannydriver.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVTCCBD2gAwIBAgISAy1c+T30Hq0QxG1AgMrf/eb2MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEyMDYxMzI2NDVaFw0yMjAzMDYxMzI2NDRaMB8xHTAbBgNVBAMT
FHd3dy5ncmFubnlkcml2ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA5LJVpmxdDxioBXUQs3CHZEHvrHK1iHgyZ3NDj2XMdNBkae1TroZgEiJH
nb4wo2XRfCYlZu4iLCmd86sjnwO8xjI4VLQylvoKAYBllWgXUy9sc7nRYNo5pWiP
fKshcAjyeHtIkfX9KFYnpBQqqGdgk+QPnZG89OPAZdhmasl0airdvZ3BR1KFpEDH
9oEzOIN9lZxCuOTxAdUzbhDzI9svMwi6/NVHKEeNS/+5pO05tvCRZ7D41miDx62g
Fu5ayg+i3JtrucpLIMp6Vxd3koh6sN9Roq3QoZuCUU07Bs9UE7aYFpUcxeRclcu1
B/ZATL6D4UK3YrkxaAS+BAmVXOt1BQIDAQABo4ICdjCCAnIwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBS1wiCY1ZdYvJu2oG9RJPJVtEP0CjAfBgNVHSMEGDAWgBQULrMX
t1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0
dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVu
Y3Iub3JnLzBIBgNVHREEQTA/ghBncmFubnlkcml2ZXIuY29tghVtYWlsLmdyYW5u
eWRyaXZlci5jb22CFHd3dy5ncmFubnlkcml2ZXIuY29tMEwGA1UdIARFMEMwCAYG
Z4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMu
bGV0c2VuY3J5cHQub3JnMIIBAgYKKwYBBAHWeQIEAgSB8wSB8ADuAHUAQcjKsd8i
RkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvYAAAF9kCPPlQAABAMARjBEAiBkbDdF
4bK2bsm5rbZR4gBM7R5piXWC3RC3FVMXhBsGzgIgaOgWnvdAOKUWgzZvSgt9gtE/
3WrpA8ujgFvx69acX8oAdQApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3H
hAAAAX2QI8+IAAAEAwBGMEQCIB+R6SC4K8ZnaLx2bfXgUR7cSF7tuSv/OlEGiO25
hXi1AiBZz/CWruKNuk1t1wzFRAFwimFwxMa15syTkLg2RKawQzANBgkqhkiG9w0B
AQsFAAOCAQEAgEtCO6DqfOVGCXueRtj3+6qfsL7xqPcsFn/yXDV1pronetiHpHMr
hzew5C81guGslzHtLaMHbh6DGGE4hkdYgfGn7NF9EQ4DHO1muuvoJGeFef8SJOln
DRq2CY+qlgPct0uhuJAwGP6tpssr6KGD3Lnkd2qFcOa7dDVmzTelLQeJ1wBIZwYo
HCJv+VhIEzBxNBuNf+UJjtGWbJGYhz/bcAUf4w+Kc1/1ED5na2w2jeTW6wnAAq/O
QSulyYBEtVakt4D0jGkATrFf0C3yFMuBQkm37PGxVPFiF59wh4gqjinRwM88zNub
u6A9Nlxi6yyqpGLVUUqO93bmmDb7yCRIpw==
-----END CERTIFICATE-----
subject=/CN=www.grannydriver.com
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4751 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 521A1C63857F51F18148ECE661E290716C20E600C947D8FDA9F4FAA12FEB89CD
    Session-ID-ctx:
    Master-Key: 8F4BA1D0A7D47069BB9A1E006D4C5BDE7A2EFEF24022042038EDFD49DF272B53A4676C66407D018E3C2D76D593E2ED21
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - b7 51 6e e1 c0 5b 8e 4a-92 3d 84 6d ec be f2 fb   .Qn..[.J.=.m....
    0010 - be 9f 39 4e 6c 15 70 93-a5 e3 59 32 cb f9 fa bc   ..9Nl.p...Y2....
    0020 - 51 d6 8c 21 88 64 da d8-1d bc f3 02 d9 6d f5 bc   Q..!.d.......m..
    0030 - 90 62 d0 a6 f9 03 52 c5-c3 b1 b5 30 37 68 e2 f3   .b....R....07h..
    0040 - 6d 39 97 f8 b2 51 ab 20-4e c0 99 2d b2 61 32 7b   m9...Q. N..-.a2{
    0050 - 0e a1 2a ad 66 8e 83 1b-08 5c d2 e3 99 69 0b 03   ..*.f....\...i..
    0060 - 66 fc d1 fb d0 a2 33 c9-47 27 d1 da 2f 4a a6 11   f.....3.G'../J..
    0070 - fa a0 59 4c 0e 5f 41 dd-80 cc f5 a8 c0 bc e3 74   ..YL._A........t
    0080 - 7a 31 44 96 94 4b b5 29-cf e4 0c 4b ad 58 af f7   z1D..K.)...K.X..
    0090 - a3 68 4d 2a 40 2a d4 d2-57 99 38 e0 8c d1 c1 d7   .hM*@*..W.8.....
    00a0 - 72 28 20 67 8c ca ff 68-68 ab 01 be 48 80 9c 44   r( g...hh...H..D
    00b0 - c1 b6 49 12 bb 99 9a 81-8e b5 85 de 9e 57 e2 b1   ..I..........W..

    Start Time: 1639091792
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
220 server.companiondriver.com ESMTP Postfix
quit
221 2.0.0 Bye
closed

This suggests that you need to configure a additional certificate, for "mail.grannydriver.com", in addition to other domains you use.

Regards,
Netino

I dont understand.   I have certs for all of my mail.domain.com websites, verified with ssllabs.com
Listen to everything Pixelpadre says.

Offline
***
Re: smtpauth not working for me.
« Reply #5 on: December 15, 2021, 10:28:39 PM »
So you have problem with SNI configuration in postfix.
Check you have the following configuration enabled in /etc/postfix/main.cf :
Code: [Select]
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
...and make sure all domains you have (included 'mail.grannydriver.com') in the file '/etc/postfix/vmail_ssl.map'.

Offline
***
Re: smtpauth not working for me.
« Reply #6 on: December 16, 2021, 12:53:03 AM »
The same logic is too valid for dovecot.
Check if you have the following, at the end of the file '/etc/dovecot/dovecot.conf':
Code: [Select]
!include_try /etc/dovecot/sni.conf
...and check the content of the file '/etc/dovecot/sni.conf' for your ssl domains.

Offline
***
Re: smtpauth not working for me.
« Reply #7 on: December 29, 2021, 11:17:16 PM »
The same logic is too valid for dovecot.
Check if you have the following, at the end of the file '/etc/dovecot/dovecot.conf':
Code: [Select]
!include_try /etc/dovecot/sni.conf
...and check the content of the file '/etc/dovecot/sni.conf' for your ssl domains.

check
check
check
Listen to everything Pixelpadre says.