[pfx] Re: Troubleshooting roundcube connections to postfix

Mon, 17 Jun 2024 23:34:31 -0700 

On Tue, Jun 18, 2024 at 01:04:25AM -0500, Paul Schmehl via Postfix-users wrote:

> >> posttls-finger: warning: TLS library problem: error:1408F10B:SSL 
> >> routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
> > 
> > Your port 465 "smtps" service is misconfigured, it is missing the
> > "-o smtpd_tls_wrapper_mode=yes" option.
>
> OK. wrappermode was commented out. I uncommented it, restarted the
> daemon, and ran finger again.

[ For future drawn-out threads, we really should not let these go on
  quite so long without requesting the "postconf -nf" and "postconf -Mf"
  outputs. ]

> # posttls-finger -w -lsecure -C "mail.stovebolt.com:465" "www.stovebolt.com"

Why the "www.stovebolt.com"???  What hostname is roundcube configured to
connect to?  The certificate is for "mail.stovebolt.com".

> posttls-finger: Connected to mail.stovebolt.com[108.174.193.29]:465
> posttls-finger: server certificate verification failed for 
> mail.stovebolt.com[108.174.193.29]:465: num=62:Hostname mismatch
> posttls-finger: mail.stovebolt.com[108.174.193.29]:465: 
> subject_CN=mail.stovebolt.com, issuer=R10, cert 
> fingerprint=B6:E5:61:8F:1D:B3:98:54:36:CF:09:A1:04:96:E4:14:21:8C:59:91:AB:C5:60:27:34:E5:61:66:68:1E:83:D5,
>  pkey 
> fingerprint=26:05:FB:BB:A6:40:3D:66:16:B3:85:3A:23:9F:97:42:7E:BA:E2:BA:FF:DB:DA:67:B2:87:9B:16:A7:83:3D:0D
> posttls-finger: Untrusted TLS connection established to 
> mail.stovebolt.com[108.174.193.29]:465: TLSv1.3 with cipher 
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
> RSA-PSS (4096 bits) server-digest SHA256

> This looks like it’s working correctly now, right?

Correctly configured, wrapper-mode TLS is working on port 465, but one
of the subject alternative DNS names in the certificate needs to match
the hostname used by roundcube, or conversely, roundcube needs to be
configured to connect to one of those names.

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to