Error 46 with TLS

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Error 46 with TLS

benoit
Hello,

I have a problem with my postfix sever, I can't connect with TLS, I have
this error:

Sep 21 10:40:32 jolly postfix/smtpd[23341]: warning: TLS library
problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown:../ssl/record/rec_layer_s3.c:1536:SSL alert number 46:

Connection works fine without TLS.

I use a let's encrypt certificate. My server is a debian Buster

Thanks for help

Benoit

Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Wietse Venema
benoit:

> Hello,
>
> I have a problem with my postfix sever, I can't connect with TLS, I have
> this error:
>
> Sep 21 10:40:32 jolly postfix/smtpd[23341]: warning: TLS library
> problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
> certificate unknown:../ssl/record/rec_layer_s3.c:1536:SSL alert number 46:
>
> Connection works fine without TLS.
>
> I use a let's encrypt certificate. My server is a debian Buster

SSL alert number 46 means the client tried to verify the certificate.
Don't do that, or configure Postfix to provide the more of the
certificate trust chain (the 'parent' certificates).

        Wietse


Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Matus UHLAR - fantomas
>benoit:
>> I have a problem with my postfix sever, I can't connect with TLS, I have
>> this error:
>>
>> Sep 21 10:40:32 jolly postfix/smtpd[23341]: warning: TLS library
>> problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
>> certificate unknown:../ssl/record/rec_layer_s3.c:1536:SSL alert number 46:

"sslv3 alert certificate unknown" should give the hint.

>> Connection works fine without TLS.
>>
>> I use a let's encrypt certificate. My server is a debian Buster

On 21.09.19 09:24, Wietse Venema wrote:
>SSL alert number 46 means the client tried to verify the certificate.
>Don't do that, or configure Postfix to provide the more of the
>certificate trust chain (the 'parent' certificates).

the latter should be proper solution. Client should not ignore certificate
of server it's going to authentize against and not accepting unknown
server certificate seems to be recommended.

with letsencrypt (and most other certificate authorities), servers need to
provide intermediate certificate in addition to their own cert.

postfix does not have separate configuration directive for CA chain file (as
apache, proftpd and many other servers have, so you must append certificate
chain file(s) to certificate file provided with smtpd_tls_cert_file or
smtpd_tls_chain_files (since 3.4).

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.
Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Jim P.
On Sat, 2019-09-21 at 16:13 +0200, Matus UHLAR - fantomas wrote:
> with letsencrypt (and most other certificate authorities), servers need to
> provide intermediate certificate in addition to their own cert.
>
> postfix does not have separate configuration directive for CA chain file (as
> apache, proftpd and many other servers have, so you must append certificate
> chain file(s) to certificate file provided with smtpd_tls_cert_file or
> smtpd_tls_chain_files (since 3.4).

Wait, what?

This works perfectly fine for me on debian:

smtpd_tls_key_file=/etc/letsencrypt/live/smtp.domainmail.net/privkey.pem
smtpd_tls_cert_file=/etc/letsencrypt/live/smtp.domainmail.net/cert.pem
smtpd_tls_CAfile=/etc/letsencrypt/live/smtp.domainmail.net/fullchain.pem
smtpd_tls_CApath=/etc/ssl/certs/


-Jim P.

Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

benoit
In reply to this post by Matus UHLAR - fantomas

Le 21/09/2019 à 16:13, Matus UHLAR - fantomas a écrit :

>> benoit:
>>> I have a problem with my postfix sever, I can't connect with TLS, I
>>> have
>>> this error:
>>>
>>> Sep 21 10:40:32 jolly postfix/smtpd[23341]: warning: TLS library
>>> problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
>>> certificate unknown:../ssl/record/rec_layer_s3.c:1536:SSL alert
>>> number 46:
>
> "sslv3 alert certificate unknown" should give the hint.
>
>>> Connection works fine without TLS.
>>>
>>> I use a let's encrypt certificate. My server is a debian Buster
>
> On 21.09.19 09:24, Wietse Venema wrote:
>> SSL alert number 46 means the client tried to verify the certificate.
>> Don't do that, or configure Postfix to provide the more of the
>> certificate trust chain (the 'parent' certificates).
>
> the latter should be proper solution. Client should not ignore
> certificate
> of server it's going to authentize against and not accepting unknown
> server certificate seems to be recommended.
>
> with letsencrypt (and most other certificate authorities), servers
> need to
> provide intermediate certificate in addition to their own cert.
>
> postfix does not have separate configuration directive for CA chain
> file (as
> apache, proftpd and many other servers have, so you must append
> certificate
> chain file(s) to certificate file provided with smtpd_tls_cert_file or
> smtpd_tls_chain_files (since 3.4).
>

What is the certificate chain file(s)? Is that the files in /ets/ssl/certs?

Thank you

Benoit

Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Matus UHLAR - fantomas
In reply to this post by Jim P.
>On Sat, 2019-09-21 at 16:13 +0200, Matus UHLAR - fantomas wrote:
>> with letsencrypt (and most other certificate authorities), servers need to
>> provide intermediate certificate in addition to their own cert.
>>
>> postfix does not have separate configuration directive for CA chain file (as
>> apache, proftpd and many other servers have, so you must append certificate
>> chain file(s) to certificate file provided with smtpd_tls_cert_file or
>> smtpd_tls_chain_files (since 3.4).

On 21.09.19 10:54, Jim P. wrote:
>Wait, what?
>
>This works perfectly fine for me on debian:
>
>smtpd_tls_key_file=/etc/letsencrypt/live/smtp.domainmail.net/privkey.pem
>smtpd_tls_cert_file=/etc/letsencrypt/live/smtp.domainmail.net/cert.pem
>smtpd_tls_CAfile=/etc/letsencrypt/live/smtp.domainmail.net/fullchain.pem
>smtpd_tls_CApath=/etc/ssl/certs/

I can confirm that smtp.domainmail.net provides full chain.

I have tried to set something like the above a while ago (debian 7 or 8,
postfix 2.9 or 2.11), and customer was complaining about invalid cert on
SMTP server.

smtpd_tls_CAfile and smtpd_tls_CApath provide trusted certificates for
certificate verification.  They don't provide intermediate certificate for
smtpd_tls_cert_file.

... or at least according to my experience and to postfix documentation:

        To enable a remote SMTP client to verify the Postfix SMTP server
certificate, the issuing CA certificates must be made available to the
client.  You should include the required certificates in the server
certificate file, the server certificate first, then the issuing CA(s)
(bottom-up order).

        Example: the certificate for "server.example.com" was issued by
"intermediate CA" which itself has a certificate of "root CA".  Create the
server.pem file with "cat server_cert.pem intermediate_CA.pem root_CA.pem >
server.pem".

I'd be glad if postfix could pick proper intermedite certificate, but my
experience and my understanding of the docs say else.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.
Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Viktor Dukhovni
In reply to this post by benoit
> On Sep 21, 2019, at 9:03 AM, benoit <[hidden email]> wrote:
>
> I have a problem with my postfix sever, I can't connect with TLS, I have this error:
>
> Sep 21 10:40:32 jolly postfix/smtpd[23341]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1536:SSL alert number 46:

* Since the report is from smtpd(8), this is an incoming
  SMTP connection from an client.

* The client's TLS stack is sending a TLS fatal alert message
  to the server

* The alert in question is a "certificate unknown" alert, which
  might indicate that your certificate chain is issued by an
  unknown CA, *OR* is incomplete.

  A common mistake is to leave out intermediate issuer certificates
  from your server chain,   and provide just the leaf certificate.
  DONT DO THAT.  With Let's Encrypt, use "fullchain.pem".

* It is also possible that the client's alert is "imprecise" and
  the certificate name does not match the server name, or some
  other certificate related problem.  Diagnostic information on
  the client might shed more light on the issue.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Dominic Raferd
On Sat, 21 Sep 2019 at 18:42, Viktor Dukhovni
<[hidden email]> wrote:

>
> > On Sep 21, 2019, at 9:03 AM, benoit <[hidden email]> wrote:
> >
> > I have a problem with my postfix sever, I can't connect with TLS, I have this error:
> >
> > Sep 21 10:40:32 jolly postfix/smtpd[23341]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1536:SSL alert number 46:
>
> * Since the report is from smtpd(8), this is an incoming
>   SMTP connection from an client.
>
> * The client's TLS stack is sending a TLS fatal alert message
>   to the server
>
> * The alert in question is a "certificate unknown" alert, which
>   might indicate that your certificate chain is issued by an
>   unknown CA, *OR* is incomplete.
>
>   A common mistake is to leave out intermediate issuer certificates
>   from your server chain,   and provide just the leaf certificate.
>   DONT DO THAT.  With Let's Encrypt, use "fullchain.pem".
>
> * It is also possible that the client's alert is "imprecise" and
>   the certificate name does not match the server name, or some
>   other certificate related problem.  Diagnostic information on
>   the client might shed more light on the issue.

I just use:
smtpd_tls_cert_file = /etc/letsencrypt/live/streamingbats.co.uk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/streamingbats.co.uk/privkey.pem

Should I be setting any other parameters?

(It might be helpful to give letsencrypt examples (because now so
common) in the documentation.)
Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

@lbutlr
On Sep 21, 2019, at 12:17 PM, Dominic Raferd <[hidden email]> wrote:
> smtpd_tls_cert_file = /etc/letsencrypt/live/streamingbats.co.uk/fullchain.pem
> smtpd_tls_key_file = /etc/letsencrypt/live/streamingbats.co.uk/privkey.pem
>
> Should I be setting any other parameters?

That works here.



--
"You never really understand a person until you see things from his
point of view, until you climb inside of his skin and walk around in
it.”

Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Thilo Molitor
Do you know what client sends the alert?
Maybe it is misconfigured...

Am 21. September 2019 21:26:14 MESZ schrieb "@lbutlr" <[hidden email]>:
On Sep 21, 2019, at 12:17 PM, Dominic Raferd <[hidden email]> wrote:
smtpd_tls_cert_file = /etc/letsencrypt/live/streamingbats.co.uk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/streamingbats.co.uk/privkey.pem

Should I be setting any other parameters?

That works here.


Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

benoit

Hello, thanks for replies,

I change my cert_file parameter to fullchain.pem. So now I don't have error for server:

Sep 22 15:00:25 jolly postfix/smtpd[15774]: connect from unknown[192.168.5.1]
Sep 22 15:00:25 jolly postfix/smtpd[15774]: Anonymous TLS connection established from unknown[192.168.5.1]: TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
Sep 22 15:00:33 jolly postfix/smtpd[15774]: lost connection after EHLO from unknown[192.168.5.1]
Sep 22 15:00:33 jolly postfix/smtpd[15774]: disconnect from unknown[192.168.5.1] ehlo=2 starttls=1 commands=3

But my client can't connect . the client is my android phone

I have a fairphoneos based on android 7.1.2.

Thank you

Benoit



Le 21/09/2019 à 22:14, Thilo Molitor a écrit :
Do you know what client sends the alert?
Maybe it is misconfigured...

Am 21. September 2019 21:26:14 MESZ schrieb "@lbutlr" [hidden email]:
On Sep 21, 2019, at 12:17 PM, Dominic Raferd [hidden email] wrote:
smtpd_tls_cert_file = /etc/letsencrypt/live/streamingbats.co.uk/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/streamingbats.co.uk/privkey.pem Should I be setting any other parameters?
That works here.
Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Viktor Dukhovni
On Sun, Sep 22, 2019 at 03:07:54PM +0200, benoit wrote:

> I change my cert_file parameter to fullchain.pem. So now I don't have
> error for server:
>
> Sep 22 15:00:25 jolly postfix/smtpd[15774]: connect from unknown[192.168.5.1]
> Sep 22 15:00:25 jolly postfix/smtpd[15774]: Anonymous TLS connection
>   established from unknown[192.168.5.1]: TLSv1.2 with cipher
>   ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)

Looks like the TLS handshake completes.

> Sep 22 15:00:33 jolly postfix/smtpd[15774]: lost connection after EHLO
> from unknown[192.168.5.1]
> Sep 22 15:00:33 jolly postfix/smtpd[15774]: disconnect from
> unknown[192.168.5.1] ehlo=2 starttls=1 commands=3

As also evidenced by the second (post-TLS) "EHLO".

> But my client can't connect . the client is my android phone

But the client gives up immediately after seeing the server's EHLO
response.  Probably, it does not like the SASL AUTH mechanisms
offered, or AUTH is not offered at all.  Perhaps the phone is
connecting to port 25.

See my reply

    http://postfix.1071664.n5.nabble.com/Question-getting-Mail-app-working-with-PostFix-SMTP-td102381.html#a102823

to:

    http://postfix.1071664.n5.nabble.com/Question-getting-Mail-app-working-with-PostFix-SMTP-tp102381p102822.html

and if you're still unable to resolve the problem after ensuring
that the client is using port 587 (submission), in your next post
include:

        1. "postconf -nf" output (as-is, no rewrapping of lines)
        2. "postconf -Mf" output (as-is, no rewrapping of lines)
        3. Relevant enties from the log file.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re : Re: Error 46 with TLS

benoit

Hello,
Yes, the phone use the port 25. I change my phone client to fairemail, and everything is fine
Thank you

Sun Sep 22 18:19:56 GMT+02:00 2019 Viktor Dukhovni <[hidden email]>:
 

> On Sun, Sep 22, 2019 at 03:07:54PM +0200, benoit wrote:
>
> > I change my cert_file parameter to fullchain.pem. So now I don't have
> > error for server:
> >
> > Sep 22 15:00:25 jolly postfix/smtpd[15774]: connect from unknown[192.168.5.1]
> > Sep 22 15:00:25 jolly postfix/smtpd[15774]: Anonymous TLS connection
> >   established from unknown[192.168.5.1]: TLSv1.2 with cipher
> >   ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
>
> Looks like the TLS handshake completes.
>
> > Sep 22 15:00:33 jolly postfix/smtpd[15774]: lost connection after EHLO
> > from unknown[192.168.5.1]
> > Sep 22 15:00:33 jolly postfix/smtpd[15774]: disconnect from
> > unknown[192.168.5.1] ehlo=2 starttls=1 commands=3
>
> As also evidenced by the second (post-TLS) "EHLO".
>
> > But my client can't connect . the client is my android phone
>
> But the client gives up immediately after seeing the server's EHLO
> response.  Probably, it does not like the SASL AUTH mechanisms
> offered, or AUTH is not offered at all.  Perhaps the phone is
> connecting to port 25.
>
> See my reply
>
>     http://postfix.1071664.n5.nabble.com/Question-getting-Mail-app-working-with-PostFix-SMTP-td102381.html#a102823
>
> to:
>
>     http://postfix.1071664.n5.nabble.com/Question-getting-Mail-app-working-with-PostFix-SMTP-tp102381p102822.html
>
> and if you're still unable to resolve the problem after ensuring
> that the client is using port 587 (submission), in your next post
> include:
>
> 1. "postconf -nf" output (as-is, no rewrapping of lines)
> 2. "postconf -Mf" output (as-is, no rewrapping of lines)
> 3. Relevant enties from the log file.
>
> --
> Viktor.
>
Reply | Threaded
Open this post in threaded view
|

Re: Re : Re: Error 46 with TLS

Matus UHLAR - fantomas
>> On Sun, Sep 22, 2019 at 03:07:54PM +0200, benoit wrote:
>> > But my client can't connect . the client is my android phone

>Sun Sep 22 18:19:56 GMT+02:00 2019 Viktor Dukhovni <[hidden email]>:
>> But the client gives up immediately after seeing the server's EHLO
>> response.  Probably, it does not like the SASL AUTH mechanisms
>> offered, or AUTH is not offered at all.  Perhaps the phone is
>> connecting to port 25.
>>
>> See my reply
>>
>>     http://postfix.1071664.n5.nabble.com/Question-getting-Mail-app-working-with-PostFix-SMTP-td102381.html#a102823
>>
>> to:
>>
>>     http://postfix.1071664.n5.nabble.com/Question-getting-Mail-app-working-with-PostFix-SMTP-tp102381p102822.html

On 22.09.19 16:41, Benoit Szczygiel wrote:
>Yes, the phone use the port 25. I change my phone client to fairemail, and everything is fine

changing the smtps/submissions port (465 with implicit SSL) should help
too, as noted by Viktor on the links above.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.
Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

benoit
In reply to this post by Viktor Dukhovni
Hello,

I had no time to solve definitely the problem.

Now the result is not error 46 but

Nov  3 17:23:51 jolly postfix/smtpd[5113]: connect from unknown[192.168.5.1]
Nov  3 17:23:51 jolly postfix/smtpd[5113]: Anonymous TLS connection
established from unknown[192.168.5.1]: TLSv1.2 with cipher
ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
Nov  3 17:23:51 jolly postfix/smtpd[5113]: warning:
unknown[192.168.5.1]: SASL LOGIN authentication failed: authentication
failure
Nov  3 17:23:51 jolly postfix/smtpd[5113]: lost connection after AUTH
from unknown[192.168.5.1]
Nov  3 17:23:51 jolly postfix/smtpd[5113]: disconnect from
unknown[192.168.5.1] ehlo=2 starttls=1 auth=0/1 commands=3/4

This is strange as I don't do an anonymous connection.

I install saslauth.

# Example: MECHANISMS="pam"
MECHANISMS="shadow"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you
wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific
information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m
/var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - -
smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

This is only the end of the conf file. I didn't change anything at the
start of file.


Here is the smtpd part of main.cf

# TLS parameters
broken_sasl_auth_clients = yes
smtpd_tls_cert_file =
/etc/letsencrypt/live/zelec.homelinux.net/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/zelec.homelinux.net/privkey.pem
smtpd_use_tls=yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_auth_enable = yes
broken_sasl_auth_client = yes
#smtpd_tls_CAfile=/etc/letsencrypt/live/zelec.homelinux.net/fullchain.pem
#smtpd_tls_CApath=/etc/ssl/certs/


# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination permit_inet_interfaces
reject_unauth_destination permit_mx_backup
myhostname = jolly.zelec.lan

Here my master.conf


# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
#
==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1 postscreen
#smtpd     pass  -       -       y       -       - smtpd
#dnsblog   unix  -       -       y       -       0 dnsblog
#tlsproxy  unix  -       -       y       -       0 tlsproxy
submission inet n       -       y       -       -       smtpd
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING


Thanks for ideas

Benoit











Le 22/09/2019 à 18:15, Viktor Dukhovni a écrit :

> On Sun, Sep 22, 2019 at 03:07:54PM +0200, benoit wrote:
>
>> I change my cert_file parameter to fullchain.pem. So now I don't have
>> error for server:
>>
>> Sep 22 15:00:25 jolly postfix/smtpd[15774]: connect from unknown[192.168.5.1]
>> Sep 22 15:00:25 jolly postfix/smtpd[15774]: Anonymous TLS connection
>>    established from unknown[192.168.5.1]: TLSv1.2 with cipher
>>    ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
> Looks like the TLS handshake completes.
>
>> Sep 22 15:00:33 jolly postfix/smtpd[15774]: lost connection after EHLO
>> from unknown[192.168.5.1]
>> Sep 22 15:00:33 jolly postfix/smtpd[15774]: disconnect from
>> unknown[192.168.5.1] ehlo=2 starttls=1 commands=3
> As also evidenced by the second (post-TLS) "EHLO".
>
>> But my client can't connect . the client is my android phone
> But the client gives up immediately after seeing the server's EHLO
> response.  Probably, it does not like the SASL AUTH mechanisms
> offered, or AUTH is not offered at all.  Perhaps the phone is
> connecting to port 25.
>
> See my reply
>
>      http://postfix.1071664.n5.nabble.com/Question-getting-Mail-app-working-with-PostFix-SMTP-td102381.html#a102823
>
> to:
>
>      http://postfix.1071664.n5.nabble.com/Question-getting-Mail-app-working-with-PostFix-SMTP-tp102381p102822.html
>
> and if you're still unable to resolve the problem after ensuring
> that the client is using port 587 (submission), in your next post
> include:
>
> 1. "postconf -nf" output (as-is, no rewrapping of lines)
> 2. "postconf -Mf" output (as-is, no rewrapping of lines)
> 3. Relevant enties from the log file.
>
Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Viktor Dukhovni


> On Nov 3, 2019, at 10:42 AM, benoit <[hidden email]> wrote:
>
> Nov  3 17:23:51 jolly postfix/smtpd[5113]: connect from unknown[192.168.5.1]
> Nov  3 17:23:51 jolly postfix/smtpd[5113]: Anonymous TLS connection established from unknown[192.168.5.1]: TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
> Nov  3 17:23:51 jolly postfix/smtpd[5113]: warning: unknown[192.168.5.1]: SASL LOGIN authentication failed: authentication failure
> Nov  3 17:23:51 jolly postfix/smtpd[5113]: lost connection after AUTH from unknown[192.168.5.1]
> Nov  3 17:23:51 jolly postfix/smtpd[5113]: disconnect from unknown[192.168.5.1] ehlo=2 starttls=1 auth=0/1 commands=3/4
>
> This is strange as I don't do an anonymous connection.

Don't confuse "TLS anonymous" (no TLS client certificate), with
"SASL anonymous" (no username/password or similar).  See:

  http://www.postfix.org/FORWARD_SECRECY_README.html#status

Your TLS settings are now fine, and all that remains is getting SASL
to work (SASL is not SSL).

--
        Viktor.