I confirm it was a SNI issue. Some people were using custom MX names
pointing to our IPs, and some senders didn't like the default certificate.
Thank you all!
Camille
Le 12/09/2023 à 15:04, Taavi Eomäe via mailop a écrit :
On 12/09/2023 15:33, Bill Cole via mailop wrote:
Your CA
I confirm it was a SNI issue. Some people were using custom MX names
pointing to our IPs, and some senders didn't like the default certificate.
Thank you all!
Camille
Le 12/09/2023 à 15:04, Taavi Eomäe via mailop a écrit :
On 12/09/2023 15:33, Bill Cole via mailop wrote:
Your CA
On 12/09/2023 15:33, Bill Cole via mailop wrote:
Your CA (LetsEncrypt) says that is breakage and they offer a fix. Take
it or leave it, but saying that it isn't broken is wrong.
It is not wrong.
There's a valid and trusted path, that is sufficient. If your TLS client
does not build
On 2023-09-12 at 02:18:56 UTC-0400 (Tue, 12 Sep 2023 08:18:56 +0200)
Camille - Clean Mailbox via mailop
is rumored to have said:
Hi Bill,
└─# openssl s_client -connect mx.clean-mailbox.com:25 -starttls
smtp
[...]
---
Certificate chain
0 s:CN = clean-mailbox.com
i:C = US, O = Let's
I think I figured out what's happening after increasing the TLS debug logs.
Some incoming connections are initiated using a FQDN for which I don't
have a valid SSL certificate (another address than mx.clean-mailbox.com).
I'll investigate & keep you posted.
Best regards,
Camille
Le
On Tue, Sep 12, 2023 at 09:25:54AM +0200, Camille - Clean Mailbox via mailop
wrote:
> Hi,
>
> I didn't changed anything in Postfix configuration. But yes, over the last
> months, we upgraded from Debian 11 (OpenSSL 1.1.1n) to Debian 12 (OpenSSL
> 3.0.9).
> I don't see anything in openssl.cnf
If it works without your MTA being involved then it may a configuration setting
on your side or theirs.
Can you turn up the TLS debug log level on your MTA? That should point to where
in the negotiation it’s failing for future connections.
Ken.
> On 12 Sep 2023, at 12:28, Camille - Clean
Ahoj,
Dňa Tue, 12 Sep 2023 12:28:13 +0200 Camille - Clean Mailbox via mailop
napísal:
> └─# openssl s_client -connect mx.clean-mailbox.com:25 -starttls smtp
I can do TLS1.0, TLS1.2 & TLS1.3 handshake with your server and GnuTLS
reports certificate as valid, thus the certificate itself seems to
Hi,
└─# openssl s_client -connect mx.clean-mailbox.com:25 -starttls smtp
CONNECTED(0003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = clean-mailbox.com
verify return:1
---
What do you see when you run openssl s_client -connect… against the the MTAs
that are associated with this specific error in your logs?
Ken.
> On 12 Sep 2023, at 10:50, Camille - Clean Mailbox via mailop
> wrote:
>
> Ok I'm now running RSA without DST cert:
> # openssl crl2pkcs7 -nocrl
Ok I'm now running RSA without DST cert:
# openssl crl2pkcs7 -nocrl -certfile
/etc/letsencrypt/live/clean-mailbox.com/fullchain.pem | openssl pkcs7
-print_certs -noout
subject=CN = clean-mailbox.com
issuer=C = US, O = Let's Encrypt, CN = R3
subject=C = US, O = Let's Encrypt, CN = R3
issuer=C
Ahoj,
Dňa Tue, 12 Sep 2023 09:25:59 +0200 Geert Hendrickx via mailop
napísal:
> The reason is likely the certificate itself, not the chain; this
> server offers (only) an ECC certificate, and while the vast majority
> of clients are compatible with this today, some still only support
> RSA.
Hi,
Just changed it to RSA, still have the same kind of errors:
2023-09-12T09:32:42.528685+02:00 mx1 postfix/smtpd[903460]: SSL_accept
error from o167.p8.mailjet.com[87.253.233.167]: -1
2023-09-12T09:32:42.528920+02:00 mx1 postfix/smtpd[903460]: warning: TLS
library problem:
Hi James,
I'm using certbot 2.1.0 (provided with Debian 12). I don't have anything
like this in my renewal configuration file:
[renewalparams]
account = [my ID]
authenticator = dns-cloudflare
dns_cloudflare_propagation_seconds = 30
dns_cloudflare_credentials =
On Mon, Sep 11, 2023 at 18:26:18 -0400, Bill Cole via mailop wrote:
> That's an indication that the client does not like your certificate.
>
> As for why, see
> https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
>
> TL;DR: you need to fix the chain of trust for your
Hi,
I didn't changed anything in Postfix configuration. But yes, over the
last months, we upgraded from Debian 11 (OpenSSL 1.1.1n) to Debian 12
(OpenSSL 3.0.9).
I don't see anything in openssl.cnf that could restrict something, if
you have any idea.
Best regards,
Camille
Le 12/09/2023 à
Dňa 12. septembra 2023 6:18:56 UTC používateľ Camille - Clean Mailbox via
mailop napísal:
>Also I think it's normal that the client doesn't like the answer of my servers
>if the client tries to initiate a SSLv3 connection, as I've disabled it in
>Postfix.
While i am not familiar with postfix
Dňa 12. septembra 2023 6:12:16 UTC používateľ "Taavi Eomäe via mailop"
napísal:
>No. The chain may contain an expired root certificate. A client must only
>validate the chain until the first trusted root. LetsEncrypt's should be
>trusted first, certificate chain must be validated until that
Hi, Camille,
On 2023-09-12 06:18, Camille - Clean Mailbox via mailop wrote:
I think my certificate chain is fine, no trace of DST. It's hiding there in the last certificate in the chain you pasted,
which I also see when I connect: > 2 s:C = US, O = Internet Security
Research Group, CN = ISRG
> Can you check on your side that communication is OK with my servers?
Do I understand correctly that the servers of senders are guilty, and
it's not something on my side?
Looks correct to me and Hardenize. If anything, TLSv1.0 should probably
be disabled at this point.
Hi Bill,
└─# openssl s_client -connect mx.clean-mailbox.com:25 -starttls smtp
[...]
---
Certificate chain
0 s:CN = clean-mailbox.com
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 30 21:56:24 2023 GMT; NotAfter: Nov 28
> TL;DR: you need to fix the chain of trust for your certificate. You
should remove any reference to the 'DST Root CA X3' certificate. You may
also need to change how you maintain your certificate.
No. The chain may contain an expired root certificate. A client must
only validate the chain
On Mon, Sep 11, 2023, Camille - Clean Mailbox via mailop wrote:
> 2023-09-11T22:47:26.496119+02:00 mx1 postfix/smtpd[850937]: warning: TLS
> library problem: error:0AC1:SSL routines::no shared
> cipher:../ssl/statem/statem_srvr.c:2220:
Did you change the default TLS settings (of postfix),
On 2023-09-11 at 17:05:00 UTC-0400 (Mon, 11 Sep 2023 23:05:00 +0200)
Camille - Clean Mailbox via mailop
is rumored to have said:
Dear co-listers,
I'm seeing an increase of SSL/TLS errors for incoming emails to our
service over the last few weeks.
Example from Mailjet, which is (I suppose)
Dear co-listers,
I'm seeing an increase of SSL/TLS errors for incoming emails to our
service over the last few weeks.
Example from Mailjet, which is (I suppose) able to send email in TLS 1.2
or 1.3 instead of SSLv3:
2023-09-11T21:19:31.079142+02:00 mx4 postfix/smtpd[633448]: SSL_accept
25 matches
Mail list logo
