Discussion:
OT: help me confirm that thunderbird v45.2 fails with tls in default postfix smtpd_tls_*
(too old to reply)
Benny Pedersen
2016-07-28 18:29:00 UTC
Permalink
Jul 28 18:24:13 localhost postfix/smtpd[20024]: warning: TLS library
problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate:s3_pkt.c:1472:SSL alert number 42:
Jul 28 18:32:14 localhost postfix/smtps/smtpd[20342]: warning: TLS
library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert
unknown ca:s3_pkt.c:1472:SSL alert number 48:
Jul 28 18:36:02 localhost postfix/submission/smtpd[20421]: warning: TLS
library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert
unknown ca:s3_pkt.c:1472:SSL alert number 48:

smtpd_tls_CAfile = /etc/ssl/rapidssl/intermidiate.crt
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/ssl/rapidssl/server_2016.crt
smtpd_tls_dh1024_param_file = /etc/ssl/rapidssl/dh2048.pem
smtpd_tls_dh512_param_file = /etc/ssl/rapidssl/dh512.pem
smtpd_tls_key_file = /etc/ssl/rapidssl/server.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = no
smtpd_tls_security_level = may

is it my own fault ?
Noel Jones
2016-07-28 19:18:08 UTC
Permalink
Post by Benny Pedersen
Jul 28 18:24:13 localhost postfix/smtpd[20024]: warning: TLS library
problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
Jul 28 18:32:14 localhost postfix/smtps/smtpd[20342]: warning: TLS
library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1
TLS library problem: error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1472:SSL
smtpd_tls_CAfile = /etc/ssl/rapidssl/intermidiate.crt
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/ssl/rapidssl/server_2016.crt
smtpd_tls_dh1024_param_file = /etc/ssl/rapidssl/dh2048.pem
smtpd_tls_dh512_param_file = /etc/ssl/rapidssl/dh512.pem
smtpd_tls_key_file = /etc/ssl/rapidssl/server.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = no
smtpd_tls_security_level = may
is it my own fault ?
Looks as if your certificate is borked.
There's no general problems with using Thunderbird to connect to
postfix, or you can use
openssl s_client -connect yourserver:587 -starttls smtp

If openssl connects, you're OK. If it gives an error, your cert is
broken somehow.



-- Noel Jones
Benny Pedersen
2016-07-28 19:38:27 UTC
Permalink
Post by Noel Jones
openssl s_client -connect yourserver:587 -starttls smtp
tested and it works with that one as it should

outlook express and andreoid works aswell, it just for me thunderbird
does not
Post by Noel Jones
If openssl connects, you're OK. If it gives an error, your cert is
broken somehow.
openssl & postfix works here
Juri Haberland
2016-07-28 19:43:07 UTC
Permalink
Post by Benny Pedersen
Post by Noel Jones
openssl s_client -connect yourserver:587 -starttls smtp
tested and it works with that one as it should
outlook express and andreoid works aswell, it just for me thunderbird
does not
Thunderbird and Postfix work here for years without a problem, so there is
most likely no general problem with this combination.

Do you have by any chance imported an old certificate in Thunderbird?
Check your certificate storage in Thunderbird.

Cheers,
Juri
Noel Jones
2016-07-28 19:49:33 UTC
Permalink
Post by Benny Pedersen
Post by Noel Jones
openssl s_client -connect yourserver:587 -starttls smtp
tested and it works with that one as it should
outlook express and andreoid works aswell, it just for me
thunderbird does not
Post by Noel Jones
If openssl connects, you're OK. If it gives an error, your cert is
broken somehow.
openssl & postfix works here
Those are the kind of things you should point out in your original
mail...

Thunderbird 45.2 on Windows 7 & 10 works fine here talking to
postfix. Can't speak about other OS's.



-- Noel Jones
Viktor Dukhovni
2016-07-28 19:59:26 UTC
Permalink
Post by Benny Pedersen
Jul 28 18:24:13 localhost postfix/smtpd[20024]: warning: TLS library
problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
Thunderbird does not trust the server certificate, get a certificate
it trusts. Perhaps the certificate uses SHA1 or MD5, or perhaps its
issuer is not trusted? Or the hostname does not match, or the chain
file is missing an intermediate certificate, ...

You need to post the certificate chain and the Thunderbird SMTP
settings for further help.
--
Viktor.
Benny Pedersen
2016-07-28 20:11:10 UTC
Permalink
Post by Viktor Dukhovni
You need to post the certificate chain and the Thunderbird SMTP
settings for further help.
how to do that ?
Viktor Dukhovni
2016-07-28 22:22:09 UTC
Permalink
Post by Benny Pedersen
Post by Viktor Dukhovni
You need to post the certificate chain and the Thunderbird SMTP
settings for further help.
how to do that ?
If the server is reachable over the Internet, just post its hostname.
Otherwise, assuming submission is on port 587, post the output of:

posttls-finger -cC -Lsummary "[$(uname -n)]:587"

If you don't have "posttls-finger" and it is too difficult to build
from a recent Postfix source tarball, then post the output of:

$ openssl crl2pkcs7 -nocrl -certfile $(postconf -xh smtpd_tls_cert_file) |
openssl pkcs7 -print_certs

--
Viktor.
Benny Pedersen
2016-07-28 22:44:59 UTC
Permalink
Post by Viktor Dukhovni
posttls-finger -cC -Lsummary "[$(uname -n)]:587"
posttls-finger: certificate verification failed for
localhost[127.0.0.1]:587: untrusted issuer /C=US/O=GeoTrust
Inc./CN=RapidSSL SHA256 CA

rest of lines is not posted

uname -n have no ip addr, dont know if thats a error on its own
Viktor Dukhovni
2016-07-28 23:06:30 UTC
Permalink
Post by Benny Pedersen
Post by Viktor Dukhovni
posttls-finger -cC -Lsummary "[$(uname -n)]:587"
posttls-finger: certificate verification failed for
localhost[127.0.0.1]:587: untrusted issuer /C=US/O=GeoTrust Inc./CN=RapidSSL
SHA256 CA
rest of lines is not posted
Why do I bother asking? :-( Do post the *full* output as requested.
--
Viktor.
Benny Pedersen
2016-07-28 23:24:14 UTC
Permalink
Post by Viktor Dukhovni
Post by Benny Pedersen
Post by Viktor Dukhovni
posttls-finger -cC -Lsummary "[$(uname -n)]:587"
posttls-finger: certificate verification failed for
localhost[127.0.0.1]:587: untrusted issuer /C=US/O=GeoTrust
Inc./CN=RapidSSL
SHA256 CA
rest of lines is not posted
Why do I bother asking? :-( Do post the *full* output as requested.
sorry i did not post it all, had the impression first line was enough
for helping :(

remaning lines are belov here

posttls-finger: Untrusted TLS connection established to
localhost[127.0.0.1]:587: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

---
Certificate chain
0 subject: /CN=*.junc.eu
issuer: /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
cert
digest=50:F9:24:94:63:CC:36:DD:81:3E:72:64:0F:F3:17:E5:C2:01:6E:D2
pkey
digest=17:EA:44:34:DB:68:42:75:A3:23:36:89:30:51:E7:64:69:93:80:0B
-----BEGIN CERTIFICATE-----
MIIGUjCCBTqgAwIBAgIQHR73kDJmsKzYKLj+/a/UszANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
UmFwaWRTU0wgU0hBMjU2IENBMB4XDTE2MDMwNzAwMDAwMFoXDTE5MDYwNjIzNTk1
OVowFDESMBAGA1UEAwwJKi5qdW5jLmV1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEArz9GDXfURgR3AZJzjBLnOoYEe7n0uBfHNV0DWVSHI7aZyQ6f84yS
9SJ0SCbGADcXYTXPJpzucBAGcPG/U8mLxH0iwS14LhHFqvAcIO2CnTiOOihvJWV7
N/ODcglP26dVmNa5Mmpi1OPSYfq8vQplyy/IqXVKS12Gjz7bQDac3bmf+bv9jiRA
qtqrj8vuRNAztAZoZJ7DtRk/TGtfPYrUS0hXhhvqEFZVNp9r+w7ygR0aJ0JqmmtD
nEoxsMyLm0G35oclr3S0L24ONF5IYZU+HMpwJWBmLxXX0xbDe30Pa8FOWPUPraAW
c7erZasxYrrjEZGMMs5tp7osb+0qGQRpuQIDAQABo4IDcDCCA2wwHQYDVR0RBBYw
FIIJKi5qdW5jLmV1ggdqdW5jLmV1MAkGA1UdEwQCMAAwKwYDVR0fBCQwIjAgoB6g
HIYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcmwwbwYDVR0gBGgwZjBkBgZngQwB
AgEwWjAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2Fs
MCwGCCsGAQUFBwICMCAMHmh0dHBzOi8vd3d3LnJhcGlkc3NsLmNvbS9sZWdhbDAf
BgNVHSMEGDAWgBSXwidQnsLJ7AyIMsh8reKmAU/abzAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcGCCsGAQUFBwEBBEswSTAf
BggrBgEFBQcwAYYTaHR0cDovL2dwLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0
cDovL2dwLnN5bWNiLmNvbS9ncC5jcnQwggH3BgorBgEEAdZ5AgQCBIIB5wSCAeMB
4QB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7MAAABU1GlL28AAAQD
AEcwRQIgeXfwj/peFX0T9K/XPcnRGntO6WOABUPHqo0HfO/dWuYCIQD2d0ZbVseo
VlEwGhoWxxLun3bLfA+m2fm2IW4qRV1/0wB3AKS5CZC0GFgUh7sTosxncAo8NZgE
+RvfuON3zQ7IDdwQAAABU1GlL7UAAAQDAEgwRgIhAPBhaZWy8EDyWZwMwolvoWU6
3GtoA10ScGh3XLAcGGNoAiEAqTgm9pRuGtX+7BFQj3fXqki5aGxld1Q4s5md+Eaq
lBsAdwBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVNRpS+YAAAE
AwBIMEYCIQC12EhiBKVHPOlmXlK4VkprEYkVWEnSaor/I5OZ5Cw6dgIhANtA4TBB
w+3uNhpOA1z7z8z+WvKlG8fw6hrzuV0xT+TVAHUA7ku9t3XOYLrhQmkfq+GeZqMP
fl+wctiDAMR7iXqo/csAAAFTUaUvwAAABAMARjBEAiAa3KFoP4VbomfweHTJ9LIk
GEBfaoC61POfeckLoFlmmwIgQ6k+u9WJK7C1+oxZiWBsbDAl80lhTBs8j42tZD9B
sIcwDQYJKoZIhvcNAQELBQADggEBALQ44QNMijKJ1gSN9DCnXa03kAWz11pxoMtg
Y/sl9j2ZTdQqEoqwSNGCEnWt4dGpjNhGGEtOgNjJYUtPCzB013YSp1tMk6zRjh1T
CD+6CmdtTqGI/wetdX+Fewo+Hd97uqkz7rTQoln/Vvy1D8Z9UNpcv9IBZOepAewb
3iHPwN8vK7DvMkcSNP3+VkxU6ALaB6JEOXlE8w7mjFleZxx0SkAoHnZ4sf02E59s
T3PKrGdSucy/EDLWg8ytyRfiq1lbs13cslUkWs5YQ42Szwptd2scS3yCVyUZZnz9
QA9/tmJHqmqchk93tPcmhm4Xj2NSTcvxlgESIo2KM2M6Y827D/c=
-----END CERTIFICATE-----

more debug can be done on

posttls-finger junc.eu
Bill Cole
2016-07-29 01:18:50 UTC
Permalink
Post by Benny Pedersen
smtpd_tls_CAfile = /etc/ssl/rapidssl/intermidiate.crt
Perhaps that should be 'intermediate.crt' instead?

Because your server is only sending its own certificate, not any chain
linking it to a trusted root. So even if a file of the name you've set
exists, it does not contain any certificates.
Viktor Dukhovni
2016-07-29 01:46:25 UTC
Permalink
Post by Viktor Dukhovni
Why do I bother asking? :-( Do post the *full* output as requested.
sorry i did not post it all, had the impression first line was enough for
helping :(
Leaving out the boring bits, the certificate is:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=RapidSSL SHA256 CA
Validity
Not Before: Mar 7 00:00:00 2016 GMT
Not After : Jun 6 23:59:59 2019 GMT
Subject: CN=*.junc.eu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.junc.eu, DNS:junc.eu
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Timestamp : Mar 7 15:14:53.423 2016 GMT
Extensions: none
Signature : ecdsa-with-SHA256
Signed Certificate Timestamp:
Version : v1(0)
Timestamp : Mar 7 15:14:53.493 2016 GMT
Extensions: none
Signature : ecdsa-with-SHA256
Signed Certificate Timestamp:
Version : v1(0)
Timestamp : Mar 7 15:14:53.464 2016 GMT
Extensions: none
Signature : ecdsa-with-SHA256
Signed Certificate Timestamp:
Version : v1(0)
Timestamp : Mar 7 15:14:53.504 2016 GMT
Extensions: none
Signature : ecdsa-with-SHA256

This is issued by an intermediate CA, which you've not configured
as part of your chain. I don't think the CT extensions are related
to the problem, and the certificate is otherwise rather ordinary,
so the missing intermediate is almost certainly the problem.

You need to append:

subject= /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
issuer= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
notBefore=Dec 11 23:45:51 2013 GMT
notAfter=May 20 23:45:51 2022 GMT
-----BEGIN CERTIFICATE-----
MIIETTCCAzWgAwIBAgIDAjpxMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMxMjExMjM0NTUxWhcNMjIwNTIwMjM0NTUxWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSUmFwaWRTU0wg
U0hBMjU2IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1jBEgEu
l9h9GKrIwuWF4hdsYC7JjTEFORoGmFbdVNcRjFlbPbFUrkshhTIWX1SG5tmx2GCJ
a1i+ctqgAEJ2sSdZTM3jutRc2aZ/uyt11UZEvexAXFm33Vmf8Wr3BvzWLxmKlRK6
msrVMNI4/Bk7WxU7NtBDTdFlodSLwWBBs9ZwF8w5wJwMoD23ESJOztmpetIqYpyg
C04q18NhWoXdXBC5VD0tA/hJ8LySt7ecMcfpuKqCCwW5Mc0IW7siC/acjopVHHZD
dvDibvDfqCl158ikh4tq8bsIyTYYZe5QQ7hdctUoOeFTPiUs2itP3YqeUFDgb5rE
1RkmiQF1cwmbOwIDAQABo4IBSjCCAUYwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwR
fap9ZbjKzE4wHQYDVR0OBBYEFJfCJ1CewsnsDIgyyHyt4qYBT9pvMBIGA1UdEwEB
/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMDYGA1UdHwQvMC0wK6ApoCeGJWh0
dHA6Ly9nMS5zeW1jYi5jb20vY3Jscy9ndGdsb2JhbC5jcmwwLwYIKwYBBQUHAQEE
IzAhMB8GCCsGAQUFBzABhhNodHRwOi8vZzIuc3ltY2IuY29tMEwGA1UdIARFMEMw
QQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0
LmNvbS9yZXNvdXJjZXMvY3BzMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1h
bnRlY1BLSS0xLTU2OTANBgkqhkiG9w0BAQsFAAOCAQEANevhiyBWlLp6vXmp9uP+
bji0MsGj21hWID59xzqxZ2nVeRQb9vrsYPJ5zQoMYIp0TKOTKqDwUX/N6fmS/Zar
RfViPT9gRlATPSATGC6URq7VIf5Dockj/lPEvxrYrDrK3maXI67T30pNcx9vMaJR
BBZqAOv5jUOB8FChH6bKOvMoPF9RrNcKRXdLDlJiG9g4UaCSLT+Qbsh+QJ8gRhVd
4FB84XavXu0R0y8TubglpK9YCa81tGJUheNI3rzSkHp6pIQNo0LyUcDUrVNlXWz4
Px8G8k/Ll6BKWcZ40egDuYVtLLrhX7atKz4lecWLVtXjCYDqwSfC2Q7sRwrp0Mr8
2A==
-----END CERTIFICATE-----

to your server certificate file.
--
Viktor.
Benny Pedersen
2016-07-29 02:27:16 UTC
Permalink
Post by Viktor Dukhovni
to your server certificate file.
thanks, this solved it, its not well explained anywhere

posttls-finger shows nearly the same problem on mailville.dk, hope i
have solved so atleast thay can send me mail now

if thunderbird can now post this reply here its working now

so to remember postfix cert file need to be chained with the
intermediate.crt file ?
Viktor Dukhovni
2016-07-29 02:28:51 UTC
Permalink
So to remember postfix cert file need to be chained with the
intermediate.crt file ?
http://www.postfix.org/TLS_README.html#server_cert_key
--
Viktor.
Bill Cole
2016-07-29 02:31:59 UTC
Permalink
Post by Benny Pedersen
Post by Viktor Dukhovni
to your server certificate file.
thanks, this solved it, its not well explained anywhere
posttls-finger shows nearly the same problem on mailville.dk, hope i
have solved so atleast thay can send me mail now
if thunderbird can now post this reply here its working now
so to remember postfix cert file need to be chained with the
intermediate.crt file ?
Not "need to be" but "can be"

See my earlier message noting the typo in your config.

Loading...