1 Topic by centosnoob (edited by centosnoob 2017-03-30 09:55:23)

  • centosnoob
  • Member
  • Offline
  • Registered: 2017-03-03
  • Posts: 7

Topic: Untrusted TLS connection established Error Message

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.6
- Linux/BSD distribution name and version: Centos 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): NGINX
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue: /var/log/maillog
====

My logs are showing me that mail sent to me is causing an untrusted TLS connection. It has caused some mail bounces to occur.

===========================================================================

Mar 29 18:48:13 mx postfix/submission/smtpd[11301]: connect from localhost[127.0.0.1]
Mar 29 18:48:13 mx postfix/submission/smtpd[11301]: Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 29 18:48:13 mx postfix/submission/smtpd[11301]: CE7D2831C: client=localhost[127.0.0.1], sasl_method=LOGIN, sasl_username=noreply@ainapse.com
Mar 29 18:48:13 mx postfix/cleanup[11310]: CE7D2831C: message-id=<e682a7fc71bb368954f142a5e66a8fce@ainapse.com>
Mar 29 18:48:13 mx opendkim[9299]: CE7D2831C: DKIM-Signature field added (s=default, d=ainapse.com)
Mar 29 18:48:13 mx postfix/qmgr[10752]: CE7D2831C: from=<noreply@ainapse.com>, size=582, nrcpt=1 (queue active)
Mar 29 18:48:13 mx roundcube: <qb1rn7gt> User noreply@ainapse.com [218.185.235.166]; Message for anthony@anthonyparsons.com.au; 250: 2.0.0 Ok: queued as CE7D2831C
Mar 29 18:48:14 mx postfix/submission/smtpd[11301]: disconnect from localhost[127.0.0.1]
Mar 29 18:48:15 mx postfix/smtp[11315]: Untrusted TLS connection established to my.imail.ninja[103.236.163.22]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 29 18:48:15 mx postfix/smtp[11315]: CE7D2831C: to=<anthony@anthonyparsons.com.au>, relay=my.imail.ninja[103.236.163.22]:25, delay=1.8, delays=0.14/0.03/1.2/0.44, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5485610B45)
Mar 29 18:48:15 mx postfix/qmgr[10752]: CE7D2831C: removed
Mar 29 18:48:15 mx postfix/anvil[11274]: statistics: max connection rate 1/60s for (smtpd:103.236.163.22) at Mar 29 18:44:52
Mar 29 18:48:15 mx postfix/anvil[11274]: statistics: max connection count 1 for (smtpd:103.236.163.22) at Mar 29 18:44:52
Mar 29 18:48:15 mx postfix/anvil[11274]: statistics: max cache size 2 at Mar 29 18:44:54

===========================================================================

I'm sending from one iredmail server to the other at present, testing environments. The my.imail.ninja server is production though.

Sending to the test server from my production is causing mail to be rejected at the test server, though mail is accepted by gmail and such.

I've googled and tried a few methods read to fix... but nothing has fixed it.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Untrusted TLS connection established Error Message

centosnoob wrote:

Untrusted TLS connection established to

This means the SSL cert used by Postfix is a self-signed ssl cert. You can replace it by a bought one or request one from Lets Encrypt, then it will show something like "Trusted TLS connection ...".

3 Reply by centosnoob (edited by centosnoob 2017-03-31 15:39:09)

  • centosnoob
  • Member
  • Offline
  • Registered: 2017-03-03
  • Posts: 7

Re: Untrusted TLS connection established Error Message

That is using a Lets Encrypt one... and current. https://my.imail.ninja

/etc/postfix/main.cf

smtpd_tls_key_file = /etc/letsencrypt/live/imail.ninja/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/imail.ninja/cert.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/imail.ninja/chain.pem


Additionally, just for laughs, I registered a Comodo cert and installed that to test. Same issue when sending from my.imail.ninja to my test setup using mx.ainaps.com:

Mar 31 18:29:59 my postfix/submission/smtpd[17233]: 2BAE310B42: client=unknown[218.185.235.166], sasl_method=PLAIN, sasl_username=anthony@anthonyparsons.com.au
Mar 31 18:29:59 my postfix/cleanup[17237]: 2BAE310B42: message-id=<426B502D-600F-4483-BAAA-C380EA4B3525@anthonyparsons.com.au>
Mar 31 18:29:59 my opendkim[17438]: 2BAE310B42: DKIM-Signature field added (s=default, d=anthonyparsons.com.au)
Mar 31 18:29:59 my postfix/qmgr[12477]: 2BAE310B42: from=<anthony@anthonyparsons.com.au>, size=793, nrcpt=1 (queue active)
Mar 31 18:30:00 my postfix/smtp[17205]: Untrusted TLS connection established to mx.ainaps.com[45.56.91.20]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 31 18:30:00 my postfix/smtp[17205]: 2BAE310B42: to=<postmaster@ainapse.com>, relay=mx.ainaps.com[45.56.91.20]:25, delay=1.7, delays=0.1/0/1.2/0.4, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 8A29E8140)
Mar 31 18:30:01 my postfix/qmgr[12477]: 2BAE310B42: removed

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Untrusted TLS connection established Error Message

centosnoob wrote:

smtpd_tls_cert_file = /etc/letsencrypt/live/imail.ninja/cert.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/imail.ninja/chain.pem

Try to use 'fullchain.pem' for both of them.

5 Reply by centosnoob

  • centosnoob
  • Member
  • Offline
  • Registered: 2017-03-03
  • Posts: 7

Re: Untrusted TLS connection established Error Message

Hmmm... no change, unfortunately.

I also went digging into the dovecot/conf.d/10-ssl.conf and changed the SSL key values in there to the fullchain.pem and privkey.pem, restarted, no change...

Added: ssl_ca = </etc/letsencrypt/live/imail.ninja/fullchain.pem to dovecot.conf too. No change.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Untrusted TLS connection established Error Message

centosnoob wrote:

I also went digging into the dovecot/conf.d/10-ssl.conf

iRedMail uses only dovecot.conf, not the files under 'conf.d'. So you should change /etc/dovecot/dovecot.conf instead.

7 Reply by centosnoob (edited by centosnoob 2017-04-01 11:52:10)

  • centosnoob
  • Member
  • Offline
  • Registered: 2017-03-03
  • Posts: 7

Re: Untrusted TLS connection established Error Message

Ok... it seems that Lets Encrypt is not considered trusted. Having the same issue with the positive ssl one, I hadn't actually installed the ca-bundle as you recommended above, of positive ssl until today onto the mx.ainaps.com server. That fixed the issue, where Lets Encrypt ca bundle does not fix the issue.

I also stumbled onto a huge issue with the distrust of Symantec, thawte and geotrust: https://www.comodo.com/symantec/index.p … VSPBAN2017

It seems that Lets Encrypt is not a suitable certificate authority to use on the mail server FQDN. Positive SSL works well.

So I changed out the my.imail.ninja SSL from Lets Encrypt to Positive SSL, problem fixed:

Mar 31 20:48:51 mx postfix/smtp[31908]: Trusted TLS connection established to my.imail.ninja[103.236.163.22]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Bought you a cup of coffee Zhang for your help with this... thank you, as the ca bundle recommendation was part of the issue, when combined with using a better certificate.

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Untrusted TLS connection established Error Message

Thanks for sharing. And thanks for buying me coffee. smile