MailKit gets an SslHandshakeException with LetsEncrypt SSL certificates - centos

I have a server (Centos 7) setup to be used as mail server. Using postfix/dovecot/opendkim/opendmarc..
It works as it should, users are able to connect their emails using gmail for example. Able to send and receive mail.
Also when I use MailKit and test my .NET Core application from my home pc MailKit connects fine and the emails are send.
However, when I deploy the application to my server MailKit fails to connect.
If I look in the logs I see the following
postfix/submission/smtpd[4486]: match_hostname: unknown ~? 127.0.0.1/32
postfix/submission/smtpd[4486]: match_hostaddr: MY_SERVER_IP ~? 127.0.0.1/32
postfix/submission/smtpd[4486]: match_hostname: unknown ~? MY_SERVER_IP/32
postfix/submission/smtpd[4486]: match_hostaddr: MY_SERVER_IP ~? MY_SERVER_IP/32
postfix/submission/smtpd[4486]: lost connection after STARTTLS from unknown[MY_SERVER_IP]
But if I look a bit higher in the logs I see
Anonymous TLS connection established from unknown[MY_SERVER_IP]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
My MailKit (which works fine from outside of the server):
using (SmtpClient emailClient = new SmtpClient())
{
await emailClient.ConnectAsync(emailConfiguration.SmtpServer, emailConfiguration.SmtpPort, SecureSocketOptions.StartTls);
emailClient.AuthenticationMechanisms.Remove("XOAUTH2");
await emailClient.AuthenticateAsync(emailConfiguration.SmtpUsername, emailConfiguration.SmtpPassword);
await emailClient.SendAsync(message);
await emailClient.DisconnectAsync(true);
}
edit:
The exception from MailKit (certificate is proper and not self-signed):
MailKit.Security.SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection.
May 19 16:07:37 domain.com NETCoreApp[4452]: The server's SSL certificate could not be validated for the following reasons:
May 19 16:07:37 domain.com NETCoreApp[4452]: • The server certificate has the following errors:
May 19 16:07:37 domain.com NETCoreApp[4452]: • unable to get certificate CRL
May 19 16:07:37 domain.com NETCoreApp[4452]: • The root certificate has the following errors:
May 19 16:07:37 domain.com NETCoreApp[4452]: • unable to get certificate CRL
May 19 16:07:37 domain.com NETCoreApp[4452]: • unable to get local issuer certificate
May 19 16:07:37 domain.com NETCoreApp[4452]: ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

The unable to get certificate CRL error sounds like SslStream was unable to get the CRL, perhaps because the CRL server is unreachable for some reason.
You could try adding emailClient.CheckCertificateRevocation = false; before the ConnectAsync to check if that's the issue.
The other error, unable to get local issuer certificate, might be because the server that MailKit is running on doesn't have the Root CA certificate in its X509Store but your home PC does.
Update:
The problem is that LetsEncrypt SSL certificates do not include a CRL location which means that certificate revocation checks will fail.
To bypass this, you need to set client.CheckCertificateRevocation = false; before connecting.

I found an answer which works but isn't my preferred method since I wanted to be able to use MailKit for more that just my own server (make it configurable from within the app itself)
I came to the solution because I thought it had to do with some internal traffic going wrong..
By using the old SmtpClient from System.Net.Mail I was able to use the DefaultCredentials.
using (SmtpClient client = new SmtpClient("127.0.0.1"))
{
client.UseDefaultCredentials = true;
MailAddress from = new MailAddress(emailMessage.FromAddress.Address, emailMessage.FromAddress.Name);
foreach (IEmailAddress emailAddress in emailMessage.ToAddresses)
{
MailAddress to = new MailAddress(emailAddress.Address, emailAddress.Name);
MailMessage email = new MailMessage(from, to)
{
Subject = emailMessage.Subject,
Body = emailMessage.Content
};
await client.SendMailAsync(email);
}
}

I have the same problem on ubuntu 20.04 with .NET core 3.1
and after 3 hours of trial and error, I finally found the solution.
I've just ignored the Certificate Validation CallBack.
using var client = new SmtpClient(new ProtocolLogger("smtp.log"));
client.CheckCertificateRevocation = false;
client.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;
client.Connect("your.smtp.host", 587, SecureSocketOptions.StartTls);
I hope this would be helpful :)

Related

Not able to authenticate SMTP clients on Debian+Postfix+SASL with rimap

I'm having a strange problem. I followed few guides from the net. My goal is to create a SMTP postfix that will use Cyrus SASL to authenticate users upon sending email with different imap server.
Making all more simple: have to transfer/replace current smtp server with new one as current is on public cloud and gets on black lists pretty often.
What I managed so far is:
Working Postfix
Authentication working when using :
testsaslauthd -u user#domain.com -p password
I'm getting Ok "Success" so I assume sasl itself work.
When I invoke saslfinger -s
I'm getting:
There is no smtpd.conf that defines what SASL should do for Postfix.
SMTP AUTH can't work!
but it seems that all is fine within the configuration files:
/etc/postfix/sasls/smtp.conf:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
/etc/postfix/main.cf:
smtpd_recipient_restrictions = reject_invalid_hostname,
permit permit_mynetworks,
permit_sasl_authenticated
disable_vrfy_command = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
/etc/default/saslauthd-postfix:
START=yes
MECHANISMS="rimap"
MECH_OPTIONS="domain.com -r"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
I'm running postfix chroot'ed so had to create a symlink but like I said. It all seems to work independently, just need to be linked somehow.
When I try to setup account in outlook, I got wrong name or password.
The log on Debian says:
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL NTLM authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: SASL authentication failure: unable to canonify user and get auxprops
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL DIGEST-MD5 authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL LOGIN authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: lost connection after AUTH from unknown[192.168.108.1]
May 11 23:35:43 smtp-test postfix/smtpd[741]: disconnect from unknown[192.168.108.1]
Strange thing is it tries NTLM(not mentioned anywhere) instead of RIMAP. And cannot make canonical name of user even after adding -r switch that should combine name and realm/domain name.
I guess that is related to first warning from saslfinger but cannot find the cause.
All updated to newest available versions.
Any help?

SwiftMailer connection established error

I have problem with sending mails. I using SwiftMailer 5.1.0 and account on gmail, smtp port 465 and openssl is enable, but I have this error:
Serwer: smtp.gmail.com:465 ssl
From: BizIn - system mailowy <isystemnew.pcet#gmail.com>
To: test7771#test.pl
Mail debug: Connection could not be established with host smtp.gmail.com [ #0]
At my localhost everything is okey and mails are send. But on serwer I have error.
Localhost using PHP in version 5.4.31, but at server is 5.6.0.
The fix here solved it for me: https://github.com/swiftmailer/swiftmailer/issues/544
#if-joerch
if-joerch commented on Nov 3, 2014
If you are using PHP 5.6, the error does occur because of the "SSL
context options" used for the stream context in swiftmailer. IN PHP
5.6 verify_peer and verify_peer_name the default was set to TRUE, so PHP checks the SSL certificate. It is currently not possible to
disable it in swiftmailer using some options.
You could disable the SSL check by modifying the function
"_establishSocketConnection" in StreamBuffer.php. Add these lines
before stream_socket_client command:
$options['ssl']['verify_peer'] = FALSE;
$options['ssl']['verify_peer_name'] = FALSE;
It would be great if these options could be set without hacking the
code.

Fiddler Error Connecting to HTTPS Applications !SecureClientPipeDirect failed

Fiddler Error Connecting to HTTPS Applications
Fiddler Log:
!SecureClientPipeDirect failed: Authentication failed because the remote party has closed the transport stream. on pipe to (CN=services.bigpond.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com)
I have followed other posts but no answers
The typical explanation for this message, as documented in many places, is that the client application has not been configured to trust Fiddler's root certificate. As such, the client closes the connection to Fiddler when it sees the untrusted certificate.
http://fiddler2.com/documentation/Configure-Fiddler/Tasks/TrustFiddlerRootCert
In Kestrel I'm using an SSL cert.
I 'downgraded' the TLS protocol in order to get this to work.
This is not something you'd do in production - but in production you shouldn't be using kestrel. I'm not saying this is the best overall config, but this is mainly to show the SslProtocols option.
WebHost.CreateDefaultBuilder(args)
.UseKestrel(options =>
{
options.Listen(IPAddress.Any, 5000); // http:localhost:5000
options.Listen(IPAddress.Any, 44300, listenOptions =>
{
// https://dotnetthoughts.net/enable-http2-on-kestrel/
//listenOptions.Protocols = Microsoft.AspNetCore.Server.Kestrel.Core.HttpProtocols.Http2;
listenOptions.UseHttps(#"S:\WORK\SSL\example.com.pfx", "cert-password", httpsOptions =>
{
httpsOptions.SslProtocols = System.Security.Authentication.SslProtocols.Tls;
});
});
})
.UseStartup<Startup>();

Tomcat as Clients communicating with multiple separated Servers via SSL

Here is the scenario:
I have multiple application servers running locally for now (should be running in different host) --> each is listening on different port (at localhost).
I have a single client application running on Tomcat.
When startup Tomcat, login with different user's details with connect to different (above) servers remotely.
My problem is:
First, I startup Tomcat and logged in as userA, it then connected successfully to serverA(localhost:1000).
Then I logged out.
Logged in again as userB, it did NOT connect to serverB(localhost:1001) as expected; instead, it gave exception
"javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown"
However, if I restart Tomcat, and login as userB first, it then connects successfully to serverB.
Does anyone know what the problem is?
I really appreciate any suggestion :)
Code for client Tomcat:
SetupClientKeystore();
SetupServerKeystore();
SSLContext context = SetupSSLContext();
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
SSLSocket socket = (SSLSocket) socketFactory.createSocket(hostname, portNo);
GZIPOutputStream gZipOut = new GZIPOutputStream(socket.getOutputStream()); // no trust certificate found throws here
Code for serverA and B:
setupClientKeyStore();
setupServerKeystore();
setupSSLContext();
server = new ServerSocket(portNo);
SSLServerSocketFactory socketFactory = sslContext.getServerSocketFactory();
serverSocket = (SSLServerSocket) socketFactory.createServerSocket(portNo);
serverSocket.setNeedClientAuth(true);
while ( true )
{
Socket client = serverSocket.accept();
inStream = client.getInputStream();
BufferedInputStream bufferedIn = new BufferedInputStream(inStream); //unknown_certificate throws here
//do something here.....
}
"javax.net.ssl.SSLHandshakeException: Received fatal alert:
certificate_unknown"
This usually indicates that the server's certificate is not trusted.
Could it be that when you log-in as userA you load the trusted certificate of serverA and connect, and then when you try to connect to serverB you try to authenticate serverB using the certificate of ServerA (loaded when you logged in as userA)?
As a result the SSL handshake fails.
So when you restart and login as userB the appropriate certificate (i.e. of ServerB) is loaded and the connection is succesfull?
You have no code in your post but if you do it as I say, this explains the exception.

Weblogic REST Client with Jersey HTTPS: Handshake failure

Setup: WL 9.2 + Jersey 1.1.5.1 on WL's Jrockit.
Picked Jersey 1.1.5.1 because newer versions require Java 6, I believe.
Weblogic EJB acts as REST Client and keeps getting this error:
ClientHandlerException: javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain received from svcpoint.restprovider.com - xx.xxx.xxx.xx was not trusted causing SSL handshake failure.
As this just a POC implementation, Weblogic is setup with various flags to ignore cert verification just to make this error go away:
-Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.enforceConstraints=off -Dweblogic.webservice.client.ssl.strictcertchecking=false
Also, the Jersey config setup includes this bit:
SSLContext ctx = SSLContext.getInstance("SSL");
HTTPSProperties prop = new HTTPSProperties(
new HostnameVerifier () {
public boolean verify(String hostname, SSLSession session) {
System.out.println("\n\nFAKE_Verifier: " + hostname+"\n\n");
return true;
}
}, ctx);
config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, prop);
Finally, the sole WL server, technically the admin srv, was configured in the admin console SSL.Advanced settings to not use Hostname Verification.
Now, I'm pretty sure my fake validator setup for Jersey is not actually involved, as I see this error from SSL debug:
<SecuritySSL> <000000> <weblogic user specified trustmanager validation status 16>
<Security> <BEA-090477> <Certificate chain received from svcpoint.restprovider.com - xx.xxx.xxx.xx was not trusted causing SSL handshake failure.>
<SecuritySSL> <000000> <Validation error = 16>
<SecuritySSL> <000000> <Certificate chain is untrusted>
<SecuritySSL> <000000> <SSLTrustValidator returns: 16>
<SecuritySSL> <000000> <Trust status (16): CERT_CHAIN_UNTRUSTED>
<SecuritySSL> <000000> <NEW ALERT with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
I've googled and looked at other similar issues here on SO, but I'm probably missing something. Also, from what I can judge the cert seems valid, showing it's for CN=*.restprovider.com, expiring in Nov 2011.
The certificate is untrusted. I think the best solution would be adding it to the Weblogic's trust store using the keytool:
keytool -importcert -trustcacerts ...
You can also do it in code:
TrustManagerFactory trustManagerFactory = TrustManagerFactory
.getInstance("SunX509");
trustManagerFactory.init(trustStore);
trustManagers = trustManagerFactory.getTrustManagers();
SSLContext context = SSLContext.getInstance("TLS");
context.init(keyManagers, trustManagers, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
trustStore - is a keystore containing the certificate