1 Topic by aarango

  • aarango
  • Member
  • Offline
  • Registered: 2016-12-02
  • Posts: 52

Topic: Trouble installing SSL Postfix/Dovecot

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.4
- Web server (Apache or Nginx): Nginx
====

Hi, I recently bought a SSL to postfix/dovecot, I added to this:

main.cf

smtpd_tls_key_file = /etc/ssl/private/my.key
smtpd_tls_cert_file = /etc/ssl/certs/my.crt
smtpd_tls_CAfile = /etc/ssl/certs/my.bundle

dovecot.conf

ssl = required
ssl_cert = < /etc/ssl/certs/my.crt
ssl_key = </etc/ssl/private/my.key
ssl_ca = </etc/ssl/certs/my.bundle

I restarted dovecot and postfix but when I see logs I see this:

TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown

And when its ocurrs if any user tries to send an email from external net he can't. In inbox keep "In queue" but can't send it.

My crt and key matches (checked)

Any idea?

Thanks.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by aarango

  • aarango
  • Member
  • Offline
  • Registered: 2016-12-02
  • Posts: 52

Re: Trouble installing SSL Postfix/Dovecot

Any?

Jun  1 09:04:27 mail postfix/submission/smtpd[5567]: warning: TLS library problem: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1278:SSL alert number 46:

If I use iRedmail.crt default its works fine but with my new certificates not.

Thanks.

3 Reply by aarango

  • aarango
  • Member
  • Offline
  • Registered: 2016-12-02
  • Posts: 52

Re: Trouble installing SSL Postfix/Dovecot

Any? I setup SSL and I can send emails but my emails (with trusted SSL bought) go to SPAM. Full trace:

Jun 13 08:58:32 mail amavis[23810]: (23810-10) FWD from <probandodireccion@mydomain.com -> <myhotmail@myhotmail.com>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 226002EA1FBC
Jun 13 08:58:32 mail postfix/smtp[24881]: initializing the client-side TLS engine
Jun 13 08:58:32 mail amavis[23810]: (23810-10) Passed CLEAN {RelayedInternal}, ORIGINATING/MYNETS LOCAL [192.168.1.X]:47568 [192.168.1.X] <probandodireccion@mydomain.com> -> <myhotmail@myhotmail.com>, Queue-ID: 770462EA1FBB, Message-ID: <b2978
e71-ae37-ec07-891b-b66fcc045afa@mydomain.com>, mail_id: cPULE3CXd12x, Hits: -1, size: 603, queued_as: 226002EA1FBC, Subject: "test", From: test_<probandodireccion@mydomain.com>, User-Agent: Mozilla/5.0_(X11;_Linux_x86_64;_rv:52.0)_Gecko/2010
0101_Thunderbird/52.1.1, helo=[192.168.100.73], Tests: [ALL_TRUSTED=-1], autolearn=ham autolearn_force=no, autolearnscore=0, dkim_new=dkim:mydomain.com, 607 ms
Jun 13 08:58:32 mail postfix/smtp[24650]: 770462EA1FBB: to=<myhotmail@myhotmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.8, delays=0.14/0/0/0.66, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued
 as 226002EA1FBC)
Jun 13 08:58:32 mail postfix/qmgr[24421]: 770462EA1FBB: removed
Jun 13 08:58:33 mail postfix/smtp[24881]: setting up TLS connection to mx3.hotmail.com[65.54.188.110]:25
Jun 13 08:58:33 mail postfix/smtp[24881]: mx3.hotmail.com[65.54.188.110]:25: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Jun 13 08:58:33 mail postfix/smtp[24881]: SSL_connect:before/connect initialization
Jun 13 08:58:33 mail postfix/smtp[24881]: SSL_connect:unknown state
Jun 13 08:58:33 mail postfix/smtp[24881]: SSL_connect:SSLv3 read server hello A
Jun 13 08:58:33 mail postfix/smtp[24881]: mx3.hotmail.com[65.54.188.110]:25: depth=1 verify=0 subject=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
Jun 13 08:58:33 mail postfix/smtp[24881]: mx3.hotmail.com[65.54.188.110]:25: depth=1 verify=0 subject=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
Jun 13 08:58:33 mail postfix/smtp[24881]: mx3.hotmail.com[65.54.188.110]:25: depth=0 verify=1 subject=/CN=*.hotmail.com
Jun 13 08:58:33 mail postfix/smtp[24881]: SSL_connect:SSLv3 read server certificate A
Jun 13 08:58:33 mail postfix/smtp[24881]: SSL_connect:SSLv3 read server key exchange A
Jun 13 08:58:33 mail postfix/smtp[24881]: SSL_connect:SSLv3 read server done A
Jun 13 08:58:33 mail postfix/smtp[24881]: SSL_connect:SSLv3 write client key exchange A
Jun 13 08:58:33 mail postfix/smtp[24881]: SSL_connect:SSLv3 write change cipher spec A
Jun 13 08:58:33 mail postfix/smtp[24881]: SSL_connect:SSLv3 write finished A
Jun 13 08:58:33 mail postfix/smtp[24881]: SSL_connect:SSLv3 flush data
Jun 13 08:58:33 mail postfix/smtp[24881]: SSL_connect:SSLv3 read finished A
Jun 13 08:58:33 mail postfix/smtp[24881]: mx3.hotmail.com[65.54.188.110]:25: subject_CN=*.hotmail.com, issuer_CN=Microsoft IT SSL SHA2, fingerprint=3B:17:99:D6:8E:AB:73:00:77:84:F7:15:0E:EE:E5:AF, pkey_fingerprint=48:6F:13:1D:4A:A4:9E:EE
:C3:D2:38:AA:65:30:11:5F
Jun 13 08:58:33 mail postfix/smtp[24881]: Untrusted TLS connection established to mx3.hotmail.com[65.54.188.110]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Jun 13 08:58:34 mail postfix/smtp[24881]: 226002EA1FBC: to=<myhotmail@myhotmail.com>, relay=mx3.hotmail.com[65.54.188.110]:25, delay=2.6, delays=0.06/0/1.7/0.89, dsn=2.0.0, status=sent (250  <b2978e71-ae37-ec07-891b-b66fcc045afa@mydomain.com> 
Queued mail for delivery)
Jun 13 08:58:34 mail postfix/qmgr[24421]: 226002EA1FBC: removed

Why go SPAM if I'm using a trusted SSL and its setup as FAQ
http://www.iredmail.org/docs/use.a.boug … icate.html

Thanks.

4 Reply by PhilBin

  • PhilBin
  • Member
  • Offline
  • Registered: 2017-06-13
  • Posts: 3

Re: Trouble installing SSL Postfix/Dovecot

Reset everything back to the original state and do the following:

service nginx stop

# find postfix and dovecot self-signed certificates and rename them to .bak.

# save old self-signed iRedMail certs as .bak
mv /etc/ssl/certs/iRedMail.crt /etc/ssl/certs/iRedMail.crt.bak
mv /etc/ssl/private/iRedMail.key /etc/ssl/private/iRedMail.key.bak

# make symlink to your purchased certificates so iRedMail could use them
ln -s yourPathToCerts/privkey.pem /etc/ssl/private/iRedMail.key
ln -s yourPathToCerts/fullchain.pem /etc/ssl/certs/iRedMail.crt

service postfix reload
service dovecot reload
service nginx start

Good luck.

5 Reply by raz

  • raz
  • Member
  • Offline
  • Registered: 2016-07-03
  • Posts: 59

Re: Trouble installing SSL Postfix/Dovecot

Hey
maybe you should check your ssl from outside.
try to use this website - https://www.sslshopper.com/ssl-checker.html
and put your server fqdn inside and see if there are any errors.

Raz

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,164

Re: Trouble installing SSL Postfix/Dovecot

Try to check the ssl with a web browser by visiting your website (https://).

7 Reply by aarango

  • aarango
  • Member
  • Offline
  • Registered: 2016-12-02
  • Posts: 52

Re: Trouble installing SSL Postfix/Dovecot

Hi, I have a unique public IP and now if you go my public IP using https go to a server with Owncloud running with SSL (and works fine)

I bought this new SSL for mail only (port 587 STARTSSL), so if I go https://PUBLIC_IP will go another server with an Owncloud configured and SSL.

Can it be the problem? 

I checked my mail SSL and it maches (key and crt).

Here header Microsoft sending an email from my domain -> hotmail using new SSL (The email went to SPAM)

Received: from DB5EUR03HT046.eop-EUR03.prod.protection.outlook.com
 (2a01:111:e400:51fa::50) by HE1PR1001MB1356.EURPRD10.PROD.OUTLOOK.COM with
 HTTPS via HE1PR06CA0040.EURPRD06.PROD.OUTLOOK.COM; Wed, 14 Jun 2017 09:23:57
 +0000
Received: from DB5EUR03FT053.eop-EUR03.prod.protection.outlook.com
 (10.152.20.53) by DB5EUR03HT046.eop-EUR03.prod.protection.outlook.com
 (10.152.21.0) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1157.12; Wed, 14
 Jun 2017 09:23:56 +0000
Authentication-Results: spf=pass (sender IP is PUBLIC_IP)
 smtp.mailfrom=mydomain.com; hotmail.com; dkim=fail (no key for signature)
 header.d=mydomain.com;hotmail.com; dmarc=pass action=none
 header.from=mydomain.com;
Received-SPF: Pass (protection.outlook.com: domain of mydomain.com designates
 PUBLIC_IP as permitted sender) receiver=protection.outlook.com;
 client-ip=PUBLIC_IP; helo= mail.mydomain.com;
Received: from SNT004-MC7F14.hotmail.com (10.152.20.55) by
 DB5EUR03FT053.mail.protection.outlook.com (10.152.21.119) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.1157.12 via Frontend Transport; Wed, 14 Jun 2017 09:23:55 +0000
X-IncomingTopHeaderMarker: OriginalChecksum:D65A6EFB10EC3C0430FC1D9AA352E952C02E62269EABB00D3E28A103F9E13660;UpperCasedChecksum:3CC5FBFB3643104D6340067BACAE013C59EB5F3157EA9EC092453032D9BAF658;SizeAsReceived:2154;Count:23
Received: from mail.mydomain.com([PUBLIC_IP]) by SNT004-MC7F14.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);
     Wed, 14 Jun 2017 02:23:52 -0700
Received: from mail.amydomain.com (mail.mydomain.com [127.0.0.1])
    by mail.mydomain.com(Postfix) with ESMTP id 155B02EA1FD4
    for <myhotmail@myhotmail.com>; Wed, 14 Jun 2017 11:23:51 +0200 (CEST)
Authentication-Results: mail.mydomain.com (amavisd-new); dkim=pass
    reason="pass (just generated, assumed good)" header.d=mydomain.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain.com; h=
    content-language:content-transfer-encoding:content-type
    :content-type:mime-version:user-agent:date:date:message-id
    :subject:subject:from:from:to; s=dkim; t=1497432230; x=
    1498296231; bh=9AHoAnKeuCOquZ2wyXrWwEah+VldBVaOIRXSzrVnSLg=; b=E
    dTG7aCMDrASsT6xsrkQscAKsW1hiDlCf94KsyFjMjYxb2XsFwO7MXx3Fb5nU2JMW
    tnrvAAC6HFA6Qjwz+hxXMWa/X91KG5sECILcHxz59CCRnXy6GbpGfHtrq8KjrAFe
    QWgl4yXOiYoRpR6hMbnL50JM3TGYd0lB1J+q+T31Lk=
X-Virus-Scanned: Debian amavisd-new at mail.mydomain.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 required=4.31 tests=[ALL_TRUSTED=-1]
    autolearn=ham autolearn_force=no
Received: from mail.mydomain.com ([127.0.0.1])
    by mail.mydomain.com(mail.mydomain.com [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id iDbx8soOBUM8 for <myhotmail@myhotmail.com>;
    Wed, 14 Jun 2017 11:23:50 +0200 (CEST)
Received: from [192.168.100.73] (unknown [192.168.1.1])
    by mail.mydomain.com(Postfix) with ESMTPSA id 5CC1B2EA1FBA
    for <myhotmail@myhotmail.com>; Wed, 14 Jun 2017 11:23:49 +0200 (CEST)
To: myhotmail@myhotmail.com
From: probandore <probandoredireccion@mydomain.com>
Subject: asd
Message-ID: <56be60de-b9a8-7bc5-b54e-001059c663e3@mydomain.com>
Date: Wed, 14 Jun 2017 11:23:49 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.1.1
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: es-ES
Return-Path: probandoredireccion@mydomain.com
X-OriginalArrivalTime: 14 Jun 2017 09:23:52.0975 (UTC) FILETIME=[F07609F0:01D2E4EF]
X-IncomingHeaderCount: 23
X-MS-Exchange-Organization-Network-Message-Id: 0a71406a-b74a-4263-29fa-08d4b30714bc
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
CMM-sender-ip: PUBLIC_IP
CMM-sending-ip: PUBLIC_IP
CMM-Authentication-Results: hotmail.com; spf=pass (sender IP is
 PUBLIC_IP; identity alignment result is pass and alignment mode is
 relaxed) smtp.mailfrom=probandoredireccion@mydomain.com; dkim=permerror
 (identity alignment result is pass and alignment mode is relaxed)
 header.d=mydomain.com; x-hmca=pass header.id=probandoredireccion@mydomain.com
CMM-X-SID-PRA: probandoredireccion@mydomain.com
CMM-X-AUTH-Result: PASS
CMM-X-SID-Result: PASS
CMM-X-Message-Status: n:n
CMM-X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MjtHRD0xO1NDTD00
CMM-X-Message-Info: 11chDOWqoTnrG2GiNNvZKzdyR1L6/aurhoMB5rtbpwCIaPWOYtyt+cbCDsXqkaU7tTtzXZwDfL3TpqALsvdtdAl52xhr3K0iH+wS5oj9WqlLvYLvWkZFOSWvFJ9pZfvOiOrWj0cY+6IN/Nk81PUhX6Y9+Mnbh280oM0rk4BzwtFR6DWh3/+kZyQBaH/eM/z9pd18GySAJD8bz1y7rkbM2PIspSNSamFXS5yjJNS9NDMtCJmZZO34IEPbSOT/IgW3
X-MS-Exchange-Organization-SCL: 5
X-MS-Exchange-Organization-PCL: 2
X-Microsoft-Exchange-Diagnostics: 1;DB5EUR03FT053;1:FDBPx4HHriaC2EPQlRvtuC8vHD0jm05Wh8h7Z+6b2504PyoB2KtjdEG1Och6WFqaNvmxwPZgCsxaO7XT8zP1OGIyTgeeP2Q9q26h7cQQSht73YgUe+hMArbepZAelLVwECg6qbTKsLHcyN+h1UGQM8Gv/ZDdmVSEVx7YKa2u+bJk8XL6StgncbXOMgGYlKYjoy/sU/32rAlprWEXmcAHkmVfIkR6J4QGTTRRhOTorpub7bp4t8+cCK0p6u9Xi9ADVSzjD/yEs4Qww9ZiSFZPqgNY8/KsXXRTrf9r4vOIIJ5iaQbcn36GgZXS1pjLA61F
X-Forefront-Antispam-Report: EFV:NLI;SFV:SPM;SFS:(28900001);DIR:INB;SFP:;SCL:5;SRVR:DB5EUR03HT046;H:SNT004-MC7F14.hotmail.com;FPR:;SPF:None;LANG:en;
X-MS-Exchange-Organization-AuthSource: DB5EUR03FT053.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB5EUR03HT046:
X-MS-Office365-Filtering-Correlation-Id: 0a71406a-b74a-4263-29fa-08d4b30714bc
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(23075)(22001)(8291501071);SRVR:DB5EUR03HT046;
X-Microsoft-Exchange-Diagnostics: 1;DB5EUR03HT046;3:zY7V/YTNgvusiwMgyu99u0kfwflQTAFpCJSxoybthc2c/ObirPaSdtETAc74wM34VX8w+aUw9BBMwiG0ZV1r3OrnTOr59r64zGtYHcNjwM4F+N0iFMGcbA5PlLeMTBSXoOujd2NO8BaaVaS0YCbtYtu6q+8Ko0ivLe2C4l+1YVF6XxQSahZOawawZGAnNoYsFHMCF7nx879DlM3J/XqhrHEAA93uyw1OYakRro9saRuF5nGq+n3CIfzcVKFxEONDsg4btjAbfMtq+wSsTH6VU69N6++ED2CzKIDhiO/9vBe0pLUAt8w6cNBBPouoZN0qcNGHxokonrvyGEtQ7R/uf4w2sNuTymMaSdJUCiTtNGQHysnSanfAAWLOBa4UMJox;25:fNPVR7SU8yTmOSfqOAvtmfHz4SQGB/7X+bry9PPlA6LVOYp17EAjVwBT8PVU1XzG5dZVlP2uiY+dZcsDxSirKvmQeLdABHecvRxoMd6UVPe6/kt/wwT/QBRtaNFjspEoqsC33pVsO+BM0iRMCfjKntZpzS0+54eS0IYwFqpakyKBE92VLAGVgeP/GA6GEa3riacBkGWh0fMxV+IOx1ImNBTCTewcuf0rUcDhGk/yH6SbfYcsSYfd8qXwYkCEO0V3OEnewMNTdN0HCYJ9cWpQbh036AfSuB7y8+G2bpepKnjK2Px+rqF6BBf27luYz/a1tlyQIFPor09BtHRTKsmJojjwNGsbw9K+fde3pP+htktzrox3Te2tZluhZwNyJUv6g4zJBCv99SvV4k4DJ3SOSq4n1CpPI1G1wYWqgaEQImM=
X-MS-Exchange-Organization-AVStamp-Service: 1.0
X-Microsoft-Exchange-Diagnostics: 1;DB5EUR03HT046;31:nzV/Cn7bSPNIasnwUrHZVwIOGpzbIt+BK7kjUtaFUopjzAzTXzs566bg8PNlsCGzfQYLP3bToqiMSEGYREJaufRwmbmoD2Fd0MiVazH++MC+VSBH/LNs1gua6QK6cDPWrtnz6Z9BMq1AmcZhuLqQY0LcDlhdjUwwMDe+cWaih508yyYF0DIiVKAMjSaWzgz7;4:YM+SmvyEaaf3qs9CEbVNMSL+3oiQiVQJbzi54reDaRYrYD2P78ff1SIQbNnNHAwV5Kc70tfrTbwrB4jYPyWNNMtMUIq0U4qwyXnpcwTpI/QNKRkqQDD3wprSqsa90m2n3tnfwd2L3xBeVopGlUcPU9StMM86ztziEDN4u5gSwGgVWKUndfhf9+uYwZieA2GUF3oWp3rm7S2R9oheYlfxh/AvoYh5OpIOOXXbJRh45EhJjyEc1fHVDVTAxgG5eMQKhNPtRPKCWKrURgCWuQS4TDUKc6zuHO6KLNrZkKr5ySfQdKphSOqTEmVxzVvgWLlQMPOshnVahz4erbfvDue5mouXW73GLWhuF0QDwB/WNtU=;23:vo48jtPSSrylXV6ep7F/kxzWvdpld/YyCFNcA3A8mwKHu4rupZbvUBKDWQEt1paIZ7zawpD/CX01+6CPJr/yrL2NSsLEKaS6ewI7qjk80IFYVhgkfgBEgFI/SgdKVuvhCbe/3vB3YcRqIXrypY65DAWSt/HBg1dLPE4hCsh9lcykNC8Eh7FPY9K1s5hdoRInSsx99EArjtTHegdVgTCDsg==
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(444000031);SRVR:DB5EUR03HT046;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:DB5EUR03HT046;
X-Microsoft-Exchange-Diagnostics: 1;DB5EUR03HT046;6:ib10WsEcLh1dMVrr8am9ATTr5w2vaDrYQVK5TjsDtBswG7cgVe4quMTQ+mQiy/KrC3nue0Uy89k17yI+2S7GV32gKaQs4Fb+GwEB4wJWeiuIszDizHqTLq/CranzCGQHWJfq8G4msrQKLa/33ktd/y58O0JobDPvY9cF1Rwb13/Ob3o9BvupoJ6H8XNcidu8lnEUKCJLci7HXh2vRMgvcUkGhTfTtgRCJOBPFYK6mJZubDE0MpxUhMFk4B5sd5/mDbx3xMmrk/Yf1qxXPVo7yajNZEO3DipUjlIj/1Co+nH65LgipNaH6k/UFtte53wd;5:wg3Ub+GmW4KFm1fbB25PSqUEfFTbV0AKUpSd/SQODbyMd6+og70vxOmtVTI9Lx3fB5tq4SM45UAo01do1UGBknqWp6o1Xqsdn7UV03BToCIoBr/jlqYJKWWiEdNBpbaq2BusG1Pcfkh8vQSCFmt7BZ+knTi4iCatgxKWO9MVtMOuDy5xtx7JJcSvZfXwVV4ymWuUBr+rqr8TgAgvtgVIPWSmD9IYhWf8z1GFE2bTskDsVsj1ExUgF/9wZsgp0ukrxdsLq+o9XyvHYC9BNeXR3RnGjy1Fm5Uo25Hr959VFNk82gtIxxXO08xsNv7NoSo03QumdJcClVVYI5GqlYr2kJBqAEFm91BjUjQTO1WLf6X+rVRi7C/PDn0VVMsh87TXu63mMjMOkL/i3d/oFdSJ6c9AMhEhiYMelBjeIDjve9fST0tE7TlQxEGKuMDae7bb5bJSgBfpyqoWD1osqVTYYFqjkgfgjWOHgYObxGPTXZMQEZIAA1I+pkUrZP9WwPD7;24:/dnzPgKst/X4uvKOQmnD3eXcYj8bvcFInRH5fk21YMCA+bc24PK43O3zK17eyCms9jHLtQycsxkwnTU4dHDX3g==
SpamDiagnosticOutput: 1:22
SpamDiagnosticMetadata: Default
X-Microsoft-Exchange-Diagnostics: 1;DB5EUR03HT046;7:dQ3CpGcz6s2cSuiBkPdtfdcvDd9gkW/s0NiLWtAinhtW+lb4W1Yte7HoK54Dng5qYatukSQzSmDvBofsKAN+j16O8DSUSh0ixrq3nshLEuWRjUEaYInj1eYVvVix55GetTHnOWto00A7+E6hCUNPJs3IJNZA2ncEHguKt5ufUGwGalAj9H3sH14qJbuwA4drgH/YDtD5iDRSmtui2NIumU654lbmIMU1/B1LZhxqmo8wCI3qtwWxx2bjX9HFpDQFiLJWaSgyAeWvWrHNGkXBgFRSX1p11qe7M/iXjQgKbB7qw6D5ZPuIlwAKO/k23lxis/66wcNeerOldQpVenzt6g==
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Jun 2017 09:23:55.3851
 (UTC)
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5EUR03HT046
X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.5829602
X-Microsoft-Exchange-Diagnostics:
    1;HE1PR1001MB1356;27:XlZb1LAbND2vjheI2LkreWNc1LfdxXnX8hkglEqc+nbLD2KhsRi8N4P1o5UBDA1h06GtFkHGkV3A9g0THn6pboW2t5+aEWoZoQXe/+goFqcS3vHFvKJ798kLZ51tUVS8ctRN9nRxyYk7hMo+IKIY5g==
X-Microsoft-Antispam-Mailbox-Delivery:
    abwl:0;wl:0;pcwl:0;kl:0;iwl:0;ijl:0;dwl:0;dkl:0;rwl:0;ex:0;auth:1;dest:J;WIMS-SenderIP:PUBLIC_IP;WIMS-SPF:mydomain.com;WIMS-DKIM:mydomain.com;WIMS-822:probandoredireccion%40mydomain.com;WIMS-PRA:probandoredireccion%40mydomain.com;WIMS-AUTH:PASS;ENG:(5062000180)(5061607266)(5061608170)(4900095)(4950095)(102400140)(102418017);RF:JunkEmail;OFR:JunkedMail;
MIME-Version: 1.0

ads

Thanks.

8 Reply by aarango

  • aarango
  • Member
  • Offline
  • Registered: 2016-12-02
  • Posts: 52

Re: Trouble installing SSL Postfix/Dovecot

A thing:

Untrusted TLS connection established to mx1.hotmail.com[104.44.194.232]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)

I see that its using TLSv1.2, but in my main.cf I'm using this line:

smtpd_tls_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3

9 Reply by aarango

  • aarango
  • Member
  • Offline
  • Registered: 2016-12-02
  • Posts: 52

Re: Trouble installing SSL Postfix/Dovecot

If I use:
smtp_tls_security_level = none

I don't see "Untrusted TLS... " in logs but email go SPAM too.

Any way to avoid that hotmail mark as SPAM our emails?

- Domain has SPF, PTR, DKIM, no whitelist.

Thanks.

10 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,164

Re: Trouble installing SSL Postfix/Dovecot

If your MUA doesn't pop up a warning message about invalid SSL cert, then ssl setup is fine.
So your issue is hotmail moves your email to Spam folder? this is not what we can control.

11 Reply by aarango

  • aarango
  • Member
  • Offline
  • Registered: 2016-12-02
  • Posts: 52

Re: Trouble installing SSL Postfix/Dovecot

ZhangHuangbin wrote:

If your MUA doesn't pop up a warning message about invalid SSL cert, then ssl setup is fine.
So your issue is hotmail moves your email to Spam folder? this is not what we can control.

No, problem is that all emails that I sent using my SSL, my iredmail server says "Untrusted..."

Here another test with another domain:

Jun 15 09:01:43 mail amavis[8394]: (08394-15) Passed CLEAN {RelayedInternal}, ORIGINATING/MYNETS LOCAL [192.168.1.1]:44844 [192.168.1.1] <probandoredireccion@mydomain.com> -> <noreply@pccomponentes.com>, Queue-ID: 7E5C52EA1FFE, Message-ID: <f22c6826-687d-19df-64f2-3a5f78be797f@mydomain.com>, mail_id: zS4EbwcS4Tje, Hits: -1, size: 623, queued_as: 0825C2EA2003, Subject: "test", From: probandore_<probandoredireccion@mydomain.com>, User-Agent: Mozilla/5.0_(X11;_Linux_x86_64;_rv:52.0)_Gecko/20100101_Thunderbird/52.1.1, helo=[192.168.100.73], Tests: [ALL_TRUSTED=-1], autolearn=ham autolearn_force=no, autolearnscore=0, dkim_new=dkim:mydomain.com, 486 ms
Jun 15 09:01:43 mail postfix/smtp[12816]: 7E5C52EA1FFE: to=<noreply@pccomponentes.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.71, delays=0.18/0/0/0.54, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0825C2EA2003)
Jun 15 09:01:43 mail postfix/qmgr[29823]: 7E5C52EA1FFE: removed
Jun 15 09:01:43 mail postfix/smtp[13104]: setting up TLS connection to relay.dnspropio.com[185.14.57.122]:25
Jun 15 09:01:43 mail postfix/smtp[13104]: relay.dnspropio.com[185.14.57.122]:25: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Jun 15 09:01:43 mail postfix/smtp[13104]: SSL_connect:before/connect initialization
Jun 15 09:01:43 mail postfix/smtp[13104]: SSL_connect:unknown state
Jun 15 09:01:43 mail postfix/smtp[13104]: SSL_connect:SSLv3 read server hello A
Jun 15 09:01:43 mail postfix/smtp[13104]: relay.dnspropio.com[185.14.57.122]:25: depth=1 verify=0 subject=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Jun 15 09:01:43 mail postfix/smtp[13104]: relay.dnspropio.com[185.14.57.122]:25: depth=1 verify=0 subject=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Jun 15 09:01:43 mail postfix/smtp[13104]: relay.dnspropio.com[185.14.57.122]:25: depth=0 verify=1 subject=/CN=relay.dnspropio.com
Jun 15 09:01:43 mail postfix/smtp[13104]: SSL_connect:SSLv3 read server certificate A
Jun 15 09:01:43 mail postfix/smtp[13104]: SSL_connect:SSLv3 read server key exchange A
Jun 15 09:01:43 mail postfix/smtp[13104]: SSL_connect:SSLv3 read server done A
Jun 15 09:01:43 mail postfix/smtp[13104]: SSL_connect:SSLv3 write client key exchange A
Jun 15 09:01:43 mail postfix/smtp[13104]: SSL_connect:SSLv3 write change cipher spec A
Jun 15 09:01:43 mail postfix/smtp[13104]: SSL_connect:SSLv3 write finished A
Jun 15 09:01:43 mail postfix/smtp[13104]: SSL_connect:SSLv3 flush data
Jun 15 09:01:43 mail postfix/smtp[13104]: SSL_connect:SSLv3 read server session ticket A
Jun 15 09:01:43 mail postfix/smtp[13104]: SSL_connect:SSLv3 read finished A
Jun 15 09:01:43 mail postfix/smtp[13104]: relay.dnspropio.com[185.14.57.122]:25: subject_CN=relay.dnspropio.com, issuer_CN=Let's Encrypt Authority X3, fingerprint=F3:C5:82:C9:62:0C:90:93:EE:D3:77:98:00:95:3E:F3, pkey_fingerprint=FA:1B:8E:1D:5C:23:FD:D4:FC:31:6B:0B:73:E1:3C:D1
Jun 15 09:01:43 mail postfix/smtp[13104]: [b]Untrusted TLS connection established to[/b] relay.dnspropio.com[185.14.57.122]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 15 09:01:45 mail postfix/smtp[13104]: 0825C2EA2003: to=<noreply@pccomponentes.com>, relay=relay.dnspropio.com[185.14.57.122]:25, delay=2.3, delays=0.06/0/0.29/1.9, dsn=2.0.0, status=sent (250 OK id=1dLOmn-0006Iq-1i)
Jun 15 09:01:45 mail postfix/qmgr[29823]: 0825C2EA2003: removed

My SSL in Thunderbird is okay, in phones I receive a "Warning" but my SSL is right, its verified and I can test it with any web and CRT matches with key. Why so my server mail keeping saying that my SSL isn't right?

Thanks.

12 Reply by aarango

  • aarango
  • Member
  • Offline
  • Registered: 2016-12-02
  • Posts: 52

Re: Trouble installing SSL Postfix/Dovecot

Hi,

I fixed it adding this lines on main.cf:

smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs

Now my emails are "Trusted....". Hotmail keeping marking as SPAM, but this is another problem. I hope that it will help someone.