SSL for mail server - email

I don't know if I am asking this in the right place.
I have an SSL cert for my website, and I am trying to setup a mail server (same domain) using the same cert.
I am using Postfix and Dovecot. When I try logging in from Evolution mail client, I get an error "Peer failed to perform TLS handshake". When I try an online service to verify I get "Recipient address rejected: User unknown in local recipient table."
I guess my actual question is, can I actually use the same SSL cert for my website and my email server?
What do I do to debug next?

You can use a certificate you have for the web server also for your mail server as long as it matches the hostname you use to access your mail server. Of course the certificate need to properly setup at the mail server, i.e. include the necessary intermediate certificates similar to how it is (hopefully) setup on the web server.
I am using Postfix and Dovecot.
This means you need to take care of multiple configurations, both for SMTP in Postfix and IMAP/POP3 (whatever you use) in Dovecot. And in all cases the certificates subject/SAN must match the hostname you use to connect to the server.
When I try logging in from Evolution mail client, I get an error "Peer failed to perform TLS handshake".
There are not enough information about this setup to find out what exactly is causing the TLS error. It is not even clear if the error is caused when retrieving mail (IMAP/POP3, i.e. Dovecot) or while sending (Postfix).
When I try an online service to verify I get "Recipient address rejected: User unknown in local recipient table."
This has nothing to do with TLS at all. The test server simply tried to use a recipient which your mail server (Postfix) will not accept.
What do I do to debug next?
The next steps would probably be to check if the certificate matches the names you use in the first place and to look into log files for error messages or warnings. Following steps depend on what the result of these steps is.

Related

How to properly set up SRV records for ejabberd?

I'm trying to set up SRV records for my ejabberd server.
The domain I want to use to connect is, let's say, example.com and the server is hosted at server.example.com.
I've followed this guide and the records point perfectly to my server.
The thing is, when I try to connect from Conversations (xmpp client) using the example.com domain, I get an error message saying "The server is not responsible for this domain".
I tried adding example.com as a host on the ejabberd config, but then I get a self-signed certificate, that shouldn't be happening since let's encrypt is configured. I also tried requesting a certificate for example.com, but I need a server runnning on that domain for the verification, which I think it's not the right solution.
Also, adding another host on the ejabberd config would be like creating another server?
Lastly, I also read this article, but it doesn't specify how to do it with another domain pointing to the server.
I want to be able to connect to my original server.example.com using only example.com, is this possible?

How can an IMAP connection fail with a certificate error when an SMTP connection with same credentials succeeds?

I am connecting to an HIE in two interfaces using Direct Messaging - one to send messages and one to retrieve messages. The first uses a protocol of SMTP connecting on port 587 without SSL/TLS and then issuing a STARTTLS. All outbound Direct messages goes to this protocol; the HIE forwards the messages to the designated recipient. This works 100% of the time.
The retrieval interface also uses Direct Messaging, but connects with IMAP protocol on port 993. SSL/TLS is used, but there is no STARTTLS issued. This used to work 100% of the time. Now it fails on every connect attempt.
The error message is:
[java:java:ERR /1:fr_RHIO_direct_2:--/--/---- --:--:--] Catch Execption:
[java:java:ERR /1:fr_RHIO_direct_2:--/--/---- --:--:--] javax.mail.MessagingException: com.ibm.jsse2.util.h: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target;
Last week both interfaces failed at the same time with this PKIX path building error. The HIE sent us an updated digital certificate. The old one was removed from the keystore and the new one was imported. Upon recycling of the interfaces, the SMTP sending interface was restored to working order. However the retrieving interface is still failing with the same error.
Both interfaces use the same keystore. The configuration screens for both interfaces include a "keystore validation" function - both validate successfully, proving the location of the keystore and its password are correct in both interfaces.
Before last week, both interfaces worked correctly. Now only one works. The HIE uses Mirth Mail.
How is it possible that the same certificate path is correct in one interface but incorrect in another?
That was the right direction. it turns out that we were the only client to use IMAP; everyone else uses XDR. They had forgotten what to do with the IMAP service when a certificate is replaced. They had to restart a service called DOVECOT. Thanks for looking.

SSL_accept error in log while using Postfix

So I set up a mail server on my VPS with cyberpanel and I can send emails manually through rainloop. I also have a program based on the lettre crate for Rust which runs perfectly fine on my own devices and correctly sends emails out through code. However when I try to run the program on my VPS, I get the following messages in my syslog.
globalfun postfix/smtps/smtpd[24656]: connect from localhost[::1]
globalfun postfix/smtps/smtpd[24656]: SSL_accept error from localhost[::1]: -1
globalfun postfix/smtps/smtpd[24656]: warning TLS library problem: error 14094418:SSL routines:ssl3_resl3_read_bytes: tlsv1 alert unknown ca:../ssl/rec/layer_s3.c:1543:SSL alert number 48:
globalfun postfix/smtps/smtpd[24656]: lost connection after CONNECT from localhost[::1]
globalfun postfix/smtps/smtpd[24656]: disconnect from localhost[::1] commands=0/0
I don't really understand why I can't send out emails through my program but it seems to have something to do with SSL. For reference, I have two servers on the same domain - one for my website which has an SSL installed through Let's Encrypt and another for the mail server which doesn't have SSL on it. That said, I don't think that's the issue as I can send emails through the mail server manually completely fine. Does anyone have any ideas as to what's wrong? Thanks in advance.
globalfun postfix/smtps/smtpd[24656]: warning TLS library problem: error 14094418:SSL routines:ssl3_resl3_read_bytes: tlsv1 alert unknown ca:../ssl/rec/layer_s3.c:1543:SSL alert number 48:
Your client refuses to connect to your mail server since it does not trust the CA which issued the mail servers certificate. It notifies the server about this problem by sending a unknown ca TLS alert.
There can be various reasons for this. Typically it is either the use of a CA which is not trusted by the client which need to be fixed at the client (trust this CA) or at the server (use a certificate from a CA trusted by the client). Or the root CA is actually trusted but the server is not sending the intermediate certificates needed by the client to build the trust chain to this trusted root CA. This need to be fixed at the server.

Meteor send email without authentification

I try to send an email from my METEOR server as described:
https://docs.meteor.com/api/email.html
But i want to send emails without authentication. I have no username and password. If i try MAIL_URL=smtp://#relay.xy.xxxxx.com:578 without username and password i get the error:
unable to verify the first certificate.
Is it possible to set a parameter like "SMTPAuth=false" as in PHP?
Try removing the # in the URL, that might help.
You are specifying port 578, which is a secure port, so it's probably trying to establish a TLS session with your server, which might not have a legitimate SSL certificate, which is likely to be causing this error message.
You know that if you have an email server that will accept unauthorised send requests, that a bot will find it, and then pour spam through it?

use smtp.mydomain.com to forward to smtp.gmail.com?

I am using google apps for email. I can send email out through c# code fine with smtp.gmail.com.
I would like to be able to use the name smtp.mydomain.com instead, but still have it go to smtp.gmail.com. I tried just seeing a CNAME in my DNS settings, but I get this error:
"The remote certificate is invalid according to the validation procedure."
Any ideas?
Thanks.
Yes, you can't, the TLS certificate used to communicate privately with the remote SMTP server is signed with smtp.gmail.com. The only solution is to create a SMTP relay with sendmail for example on your own server.