Error 46 with TLS

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Error 46 with TLS

benoit
Hello,

I have a problem with my postfix sever, I can't connect with TLS, I have
this error:

Sep 21 10:40:32 jolly postfix/smtpd[23341]: warning: TLS library
problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown:../ssl/record/rec_layer_s3.c:1536:SSL alert number 46:

Connection works fine without TLS.

I use a let's encrypt certificate. My server is a debian Buster

Thanks for help

Benoit

Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Wietse Venema
benoit:

> Hello,
>
> I have a problem with my postfix sever, I can't connect with TLS, I have
> this error:
>
> Sep 21 10:40:32 jolly postfix/smtpd[23341]: warning: TLS library
> problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
> certificate unknown:../ssl/record/rec_layer_s3.c:1536:SSL alert number 46:
>
> Connection works fine without TLS.
>
> I use a let's encrypt certificate. My server is a debian Buster

SSL alert number 46 means the client tried to verify the certificate.
Don't do that, or configure Postfix to provide the more of the
certificate trust chain (the 'parent' certificates).

        Wietse


Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Matus UHLAR - fantomas
>benoit:
>> I have a problem with my postfix sever, I can't connect with TLS, I have
>> this error:
>>
>> Sep 21 10:40:32 jolly postfix/smtpd[23341]: warning: TLS library
>> problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
>> certificate unknown:../ssl/record/rec_layer_s3.c:1536:SSL alert number 46:

"sslv3 alert certificate unknown" should give the hint.

>> Connection works fine without TLS.
>>
>> I use a let's encrypt certificate. My server is a debian Buster

On 21.09.19 09:24, Wietse Venema wrote:
>SSL alert number 46 means the client tried to verify the certificate.
>Don't do that, or configure Postfix to provide the more of the
>certificate trust chain (the 'parent' certificates).

the latter should be proper solution. Client should not ignore certificate
of server it's going to authentize against and not accepting unknown
server certificate seems to be recommended.

with letsencrypt (and most other certificate authorities), servers need to
provide intermediate certificate in addition to their own cert.

postfix does not have separate configuration directive for CA chain file (as
apache, proftpd and many other servers have, so you must append certificate
chain file(s) to certificate file provided with smtpd_tls_cert_file or
smtpd_tls_chain_files (since 3.4).

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.
Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Jim P.
On Sat, 2019-09-21 at 16:13 +0200, Matus UHLAR - fantomas wrote:
> with letsencrypt (and most other certificate authorities), servers need to
> provide intermediate certificate in addition to their own cert.
>
> postfix does not have separate configuration directive for CA chain file (as
> apache, proftpd and many other servers have, so you must append certificate
> chain file(s) to certificate file provided with smtpd_tls_cert_file or
> smtpd_tls_chain_files (since 3.4).

Wait, what?

This works perfectly fine for me on debian:

smtpd_tls_key_file=/etc/letsencrypt/live/smtp.domainmail.net/privkey.pem
smtpd_tls_cert_file=/etc/letsencrypt/live/smtp.domainmail.net/cert.pem
smtpd_tls_CAfile=/etc/letsencrypt/live/smtp.domainmail.net/fullchain.pem
smtpd_tls_CApath=/etc/ssl/certs/


-Jim P.

Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

benoit
In reply to this post by Matus UHLAR - fantomas

Le 21/09/2019 à 16:13, Matus UHLAR - fantomas a écrit :

>> benoit:
>>> I have a problem with my postfix sever, I can't connect with TLS, I
>>> have
>>> this error:
>>>
>>> Sep 21 10:40:32 jolly postfix/smtpd[23341]: warning: TLS library
>>> problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
>>> certificate unknown:../ssl/record/rec_layer_s3.c:1536:SSL alert
>>> number 46:
>
> "sslv3 alert certificate unknown" should give the hint.
>
>>> Connection works fine without TLS.
>>>
>>> I use a let's encrypt certificate. My server is a debian Buster
>
> On 21.09.19 09:24, Wietse Venema wrote:
>> SSL alert number 46 means the client tried to verify the certificate.
>> Don't do that, or configure Postfix to provide the more of the
>> certificate trust chain (the 'parent' certificates).
>
> the latter should be proper solution. Client should not ignore
> certificate
> of server it's going to authentize against and not accepting unknown
> server certificate seems to be recommended.
>
> with letsencrypt (and most other certificate authorities), servers
> need to
> provide intermediate certificate in addition to their own cert.
>
> postfix does not have separate configuration directive for CA chain
> file (as
> apache, proftpd and many other servers have, so you must append
> certificate
> chain file(s) to certificate file provided with smtpd_tls_cert_file or
> smtpd_tls_chain_files (since 3.4).
>

What is the certificate chain file(s)? Is that the files in /ets/ssl/certs?

Thank you

Benoit

Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Matus UHLAR - fantomas
In reply to this post by Jim P.
>On Sat, 2019-09-21 at 16:13 +0200, Matus UHLAR - fantomas wrote:
>> with letsencrypt (and most other certificate authorities), servers need to
>> provide intermediate certificate in addition to their own cert.
>>
>> postfix does not have separate configuration directive for CA chain file (as
>> apache, proftpd and many other servers have, so you must append certificate
>> chain file(s) to certificate file provided with smtpd_tls_cert_file or
>> smtpd_tls_chain_files (since 3.4).

On 21.09.19 10:54, Jim P. wrote:
>Wait, what?
>
>This works perfectly fine for me on debian:
>
>smtpd_tls_key_file=/etc/letsencrypt/live/smtp.domainmail.net/privkey.pem
>smtpd_tls_cert_file=/etc/letsencrypt/live/smtp.domainmail.net/cert.pem
>smtpd_tls_CAfile=/etc/letsencrypt/live/smtp.domainmail.net/fullchain.pem
>smtpd_tls_CApath=/etc/ssl/certs/

I can confirm that smtp.domainmail.net provides full chain.

I have tried to set something like the above a while ago (debian 7 or 8,
postfix 2.9 or 2.11), and customer was complaining about invalid cert on
SMTP server.

smtpd_tls_CAfile and smtpd_tls_CApath provide trusted certificates for
certificate verification.  They don't provide intermediate certificate for
smtpd_tls_cert_file.

... or at least according to my experience and to postfix documentation:

        To enable a remote SMTP client to verify the Postfix SMTP server
certificate, the issuing CA certificates must be made available to the
client.  You should include the required certificates in the server
certificate file, the server certificate first, then the issuing CA(s)
(bottom-up order).

        Example: the certificate for "server.example.com" was issued by
"intermediate CA" which itself has a certificate of "root CA".  Create the
server.pem file with "cat server_cert.pem intermediate_CA.pem root_CA.pem >
server.pem".

I'd be glad if postfix could pick proper intermedite certificate, but my
experience and my understanding of the docs say else.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.
Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Viktor Dukhovni
In reply to this post by benoit
> On Sep 21, 2019, at 9:03 AM, benoit <[hidden email]> wrote:
>
> I have a problem with my postfix sever, I can't connect with TLS, I have this error:
>
> Sep 21 10:40:32 jolly postfix/smtpd[23341]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1536:SSL alert number 46:

* Since the report is from smtpd(8), this is an incoming
  SMTP connection from an client.

* The client's TLS stack is sending a TLS fatal alert message
  to the server

* The alert in question is a "certificate unknown" alert, which
  might indicate that your certificate chain is issued by an
  unknown CA, *OR* is incomplete.

  A common mistake is to leave out intermediate issuer certificates
  from your server chain,   and provide just the leaf certificate.
  DONT DO THAT.  With Let's Encrypt, use "fullchain.pem".

* It is also possible that the client's alert is "imprecise" and
  the certificate name does not match the server name, or some
  other certificate related problem.  Diagnostic information on
  the client might shed more light on the issue.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Dominic Raferd
On Sat, 21 Sep 2019 at 18:42, Viktor Dukhovni
<[hidden email]> wrote:

>
> > On Sep 21, 2019, at 9:03 AM, benoit <[hidden email]> wrote:
> >
> > I have a problem with my postfix sever, I can't connect with TLS, I have this error:
> >
> > Sep 21 10:40:32 jolly postfix/smtpd[23341]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1536:SSL alert number 46:
>
> * Since the report is from smtpd(8), this is an incoming
>   SMTP connection from an client.
>
> * The client's TLS stack is sending a TLS fatal alert message
>   to the server
>
> * The alert in question is a "certificate unknown" alert, which
>   might indicate that your certificate chain is issued by an
>   unknown CA, *OR* is incomplete.
>
>   A common mistake is to leave out intermediate issuer certificates
>   from your server chain,   and provide just the leaf certificate.
>   DONT DO THAT.  With Let's Encrypt, use "fullchain.pem".
>
> * It is also possible that the client's alert is "imprecise" and
>   the certificate name does not match the server name, or some
>   other certificate related problem.  Diagnostic information on
>   the client might shed more light on the issue.

I just use:
smtpd_tls_cert_file = /etc/letsencrypt/live/streamingbats.co.uk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/streamingbats.co.uk/privkey.pem

Should I be setting any other parameters?

(It might be helpful to give letsencrypt examples (because now so
common) in the documentation.)
Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

@lbutlr
On Sep 21, 2019, at 12:17 PM, Dominic Raferd <[hidden email]> wrote:
> smtpd_tls_cert_file = /etc/letsencrypt/live/streamingbats.co.uk/fullchain.pem
> smtpd_tls_key_file = /etc/letsencrypt/live/streamingbats.co.uk/privkey.pem
>
> Should I be setting any other parameters?

That works here.



--
"You never really understand a person until you see things from his
point of view, until you climb inside of his skin and walk around in
it.”

Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Thilo Molitor
Do you know what client sends the alert?
Maybe it is misconfigured...

Am 21. September 2019 21:26:14 MESZ schrieb "@lbutlr" <[hidden email]>:
On Sep 21, 2019, at 12:17 PM, Dominic Raferd <[hidden email]> wrote:
smtpd_tls_cert_file = /etc/letsencrypt/live/streamingbats.co.uk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/streamingbats.co.uk/privkey.pem

Should I be setting any other parameters?

That works here.


Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

benoit

Hello, thanks for replies,

I change my cert_file parameter to fullchain.pem. So now I don't have error for server:

Sep 22 15:00:25 jolly postfix/smtpd[15774]: connect from unknown[192.168.5.1]
Sep 22 15:00:25 jolly postfix/smtpd[15774]: Anonymous TLS connection established from unknown[192.168.5.1]: TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
Sep 22 15:00:33 jolly postfix/smtpd[15774]: lost connection after EHLO from unknown[192.168.5.1]
Sep 22 15:00:33 jolly postfix/smtpd[15774]: disconnect from unknown[192.168.5.1] ehlo=2 starttls=1 commands=3

But my client can't connect . the client is my android phone

I have a fairphoneos based on android 7.1.2.

Thank you

Benoit



Le 21/09/2019 à 22:14, Thilo Molitor a écrit :
Do you know what client sends the alert?
Maybe it is misconfigured...

Am 21. September 2019 21:26:14 MESZ schrieb "@lbutlr" [hidden email]:
On Sep 21, 2019, at 12:17 PM, Dominic Raferd [hidden email] wrote:
smtpd_tls_cert_file = /etc/letsencrypt/live/streamingbats.co.uk/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/streamingbats.co.uk/privkey.pem Should I be setting any other parameters?
That works here.
Reply | Threaded
Open this post in threaded view
|

Re: Error 46 with TLS

Viktor Dukhovni
On Sun, Sep 22, 2019 at 03:07:54PM +0200, benoit wrote:

> I change my cert_file parameter to fullchain.pem. So now I don't have
> error for server:
>
> Sep 22 15:00:25 jolly postfix/smtpd[15774]: connect from unknown[192.168.5.1]
> Sep 22 15:00:25 jolly postfix/smtpd[15774]: Anonymous TLS connection
>   established from unknown[192.168.5.1]: TLSv1.2 with cipher
>   ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)

Looks like the TLS handshake completes.

> Sep 22 15:00:33 jolly postfix/smtpd[15774]: lost connection after EHLO
> from unknown[192.168.5.1]
> Sep 22 15:00:33 jolly postfix/smtpd[15774]: disconnect from
> unknown[192.168.5.1] ehlo=2 starttls=1 commands=3

As also evidenced by the second (post-TLS) "EHLO".

> But my client can't connect . the client is my android phone

But the client gives up immediately after seeing the server's EHLO
response.  Probably, it does not like the SASL AUTH mechanisms
offered, or AUTH is not offered at all.  Perhaps the phone is
connecting to port 25.

See my reply

    http://postfix.1071664.n5.nabble.com/Question-getting-Mail-app-working-with-PostFix-SMTP-td102381.html#a102823

to:

    http://postfix.1071664.n5.nabble.com/Question-getting-Mail-app-working-with-PostFix-SMTP-tp102381p102822.html

and if you're still unable to resolve the problem after ensuring
that the client is using port 587 (submission), in your next post
include:

        1. "postconf -nf" output (as-is, no rewrapping of lines)
        2. "postconf -Mf" output (as-is, no rewrapping of lines)
        3. Relevant enties from the log file.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re : Re: Error 46 with TLS

benoit

Hello,
Yes, the phone use the port 25. I change my phone client to fairemail, and everything is fine
Thank you

Sun Sep 22 18:19:56 GMT+02:00 2019 Viktor Dukhovni <[hidden email]>:
 

> On Sun, Sep 22, 2019 at 03:07:54PM +0200, benoit wrote:
>
> > I change my cert_file parameter to fullchain.pem. So now I don't have
> > error for server:
> >
> > Sep 22 15:00:25 jolly postfix/smtpd[15774]: connect from unknown[192.168.5.1]
> > Sep 22 15:00:25 jolly postfix/smtpd[15774]: Anonymous TLS connection
> >   established from unknown[192.168.5.1]: TLSv1.2 with cipher
> >   ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
>
> Looks like the TLS handshake completes.
>
> > Sep 22 15:00:33 jolly postfix/smtpd[15774]: lost connection after EHLO
> > from unknown[192.168.5.1]
> > Sep 22 15:00:33 jolly postfix/smtpd[15774]: disconnect from
> > unknown[192.168.5.1] ehlo=2 starttls=1 commands=3
>
> As also evidenced by the second (post-TLS) "EHLO".
>
> > But my client can't connect . the client is my android phone
>
> But the client gives up immediately after seeing the server's EHLO
> response.  Probably, it does not like the SASL AUTH mechanisms
> offered, or AUTH is not offered at all.  Perhaps the phone is
> connecting to port 25.
>
> See my reply
>
>     http://postfix.1071664.n5.nabble.com/Question-getting-Mail-app-working-with-PostFix-SMTP-td102381.html#a102823
>
> to:
>
>     http://postfix.1071664.n5.nabble.com/Question-getting-Mail-app-working-with-PostFix-SMTP-tp102381p102822.html
>
> and if you're still unable to resolve the problem after ensuring
> that the client is using port 587 (submission), in your next post
> include:
>
> 1. "postconf -nf" output (as-is, no rewrapping of lines)
> 2. "postconf -Mf" output (as-is, no rewrapping of lines)
> 3. Relevant enties from the log file.
>
> --
> Viktor.
>
Reply | Threaded
Open this post in threaded view
|

Re: Re : Re: Error 46 with TLS

Matus UHLAR - fantomas
>> On Sun, Sep 22, 2019 at 03:07:54PM +0200, benoit wrote:
>> > But my client can't connect . the client is my android phone

>Sun Sep 22 18:19:56 GMT+02:00 2019 Viktor Dukhovni <[hidden email]>:
>> But the client gives up immediately after seeing the server's EHLO
>> response.  Probably, it does not like the SASL AUTH mechanisms
>> offered, or AUTH is not offered at all.  Perhaps the phone is
>> connecting to port 25.
>>
>> See my reply
>>
>>     http://postfix.1071664.n5.nabble.com/Question-getting-Mail-app-working-with-PostFix-SMTP-td102381.html#a102823
>>
>> to:
>>
>>     http://postfix.1071664.n5.nabble.com/Question-getting-Mail-app-working-with-PostFix-SMTP-tp102381p102822.html

On 22.09.19 16:41, Benoit Szczygiel wrote:
>Yes, the phone use the port 25. I change my phone client to fairemail, and everything is fine

changing the smtps/submissions port (465 with implicit SSL) should help
too, as noted by Viktor on the links above.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.