[pfx] Re: Troubleshooting roundcube connections to postfix

Mon, 17 Jun 2024 23:05:15 -0700 

> On Jun 18, 2024, at 12:38 AM, Viktor Dukhovni via Postfix-users 
> <postfix-users@postfix.org> wrote:
> 
> On Mon, Jun 17, 2024 at 11:39:27PM -0500, Paul Schmehl via Postfix-users 
> wrote:
> 
>> That might have uncovered a problem.
>> 
>> # posttls-finger -w -lsecure -C "www.stovebolt.com:465" “www.stovebolt.com"
>> 
>> posttls-finger: Connected to www.stovebolt.com[108.174.193.28]:465
>> posttls-finger: SSL_connect error to www.stovebolt.com[108.174.193.28]:465: 
>> -1
>> posttls-finger: warning: TLS library problem: error:1408F10B:SSL 
>> routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
> 
> Your port 465 "smtps" service is misconfigured, it is missing the
> "-o smtpd_tls_wrapper_mode=yes" option.  For example:
> 
>    465        inet  n       -       n       -       -       smtpd
>        -o smtpd_tls_wrappermode=yes
>        -o smtpd_milters=
>        -o syslog_name=postfix/smtps
>        -o smtpd_sasl_auth_enable=yes
>        -o {smtpd_client_restrictions=reject_rbl_client 
> zen.spamhaus.org=127.0.0.4}
>        -o smtpd_helo_restrictions=
>        -o smtpd_sender_restrictions=
>        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>        -o smtpd_recipient_restrictions=
>        -o smtpd_data_restrictions=
>        -o smtpd_end_of_data_restrictions=
>        -o milter_macro_daemon_name=ORIGINATING
>        -o smtpd_milters=$mua_milters
>        -o always_add_missing_headers=yes
> 
OK. wrappermode was commented out. I uncommented it, restarted the daemon, and 
ran finger again.

# posttls-finger -w -lsecure -C "mail.stovebolt.com:465" "www.stovebolt.com"
posttls-finger: Connected to mail.stovebolt.com[108.174.193.29]:465
posttls-finger: server certificate verification failed for 
mail.stovebolt.com[108.174.193.29]:465: num=62:Hostname mismatch
posttls-finger: mail.stovebolt.com[108.174.193.29]:465: 
subject_CN=mail.stovebolt.com, issuer=R10, cert 
fingerprint=B6:E5:61:8F:1D:B3:98:54:36:CF:09:A1:04:96:E4:14:21:8C:59:91:AB:C5:60:27:34:E5:61:66:68:1E:83:D5,
 pkey 
fingerprint=26:05:FB:BB:A6:40:3D:66:16:B3:85:3A:23:9F:97:42:7E:BA:E2:BA:FF:DB:DA:67:B2:87:9B:16:A7:83:3D:0D
posttls-finger: Untrusted TLS connection established to 
mail.stovebolt.com[108.174.193.29]:465: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
RSA-PSS (4096 bits) server-digest SHA256
posttls-finger: < 220 mail.stovebolt.com ESMTP Postfix
posttls-finger: > EHLO mail.stovebolt.com
posttls-finger: < 250-mail.stovebolt.com
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 900000000
posttls-finger: < 250-VRFY
posttls-finger: < 250-ETRN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250-SMTPUTF8
posttls-finger: < 250 CHUNKING

---
Certificate chain
(I deleted all the cert stuff)

posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye

This looks like it’s working correctly now, right?

Paul Schmehl
paul.schm...@gmail.com




_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to