SNI and Letsencrypt wildcards.

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

SNI and Letsencrypt wildcards.

Nikolai Lusan
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi all,

I am having some issues getting SNI working with postfix >3.4 with errors
like:
   Feb  7 15:43:08 lutsk postfix/smtpd[4041166]: connect from localhost[127.0.0.1]
   Feb  7 15:43:08 lutsk postfix/smtpd[4041166]: warning: key at index 1 in SNI data for mx1.city8ball.org.au does not match next certificate
   Feb  7 15:43:08 lutsk postfix/smtpd[4041166]: warning: TLS library problem: error:1426D121:SSL routines:ssl_set_cert_and_key:not replacing certificate:../ssl/ssl_rsa.c:1107:
   Feb  7 15:43:08 lutsk postfix/smtpd[4041166]: warning: error loading private keys and certificates from: SNI data for mx1.city8ball.org.au: aborting TLS handshake
   Feb  7 15:43:08 lutsk postfix/smtpd[4041166]: SSL_accept error from localhost[127.0.0.1]: -1
   Feb  7 15:43:08 lutsk postfix/smtpd[4041166]: warning: TLS library problem: error:1422E0EA:SSL routines:final_server_name:callback failed:../ssl/statem/extensions.c:1007:
   Feb  7 15:43:08 lutsk postfix/smtpd[4041166]: lost connection after STARTTLS from localhost[127.0.0.1]
   Feb  7 15:43:08 lutsk postfix/smtpd[4041166]: disconnect from localhost[127.0.0.1] ehlo=1 starttls=0/1 commands=1/2

The certificate file is a wildcard certificate issued by letsencrypt. The
following are the pertinent fields from the x509 output of the certificate:


   Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   Subject: CN = city8ball.org.au

   X509v3 Subject Alternative Name:
   DNS:*.city8ball.org.au, DNS:city8ball.org.au

These files work with apache, nginx, and dovecot for SNI. Really not sure
why I can't get it working with postfix.

- From "postconf -n":

   smtp_tls_mandatory_ciphers = high
   smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL
   smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
   smtp_tls_protocols = !SSLv2, !SSLv3
   smtp_tls_security_level = may
   smtpd_helo_required = yes
   smtpd_tls_always_issue_session_ids = yes
   smtpd_tls_chain_files = /etc/ssl/letsencrypt/lusan.id.au/lusan.id.au.key /etc/ssl/letsencrypt/lusan.id.au/fullchain.cer
   smtpd_tls_eecdh_grade = strong
   smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL
   smtpd_tls_mandatory_ciphers = high
   smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL
   smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
   smtpd_tls_protocols = !SSLv2, !SSLv3
   smtpd_tls_security_level = may
   smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
   tls_append_default_CA = no
   tls_daemon_random_bytes = 64
   tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:!CAMELLIA128:!AES128:!SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:!CAMELLIA128-SHA:!AES128-SHA
   tls_preempt_cipherlist = yes
   tls_random_bytes = 64
   tls_random_exchange_name = /var/lib/postfix/prng_exch
   tls_random_prng_update_period = 3600s
   tls_random_reseed_period = 3600s
   tls_random_source = dev:/dev/urandom
   tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map


Thanks

- --
Nikolai Lusan

Email: [hidden email]
Phone: 0425 661 620
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAl48/uAACgkQ4ZaDRV2V
L6QNGQ//boxWY3q4FjvMIG6JspSrvc6D3U86sDVUyhWf68l6Ynjz87pRmaaYcgca
9E5x04ZyjLCLmPvOsez8B8OGU39X+MP+m7e/zvB+pbnxFjvpjq8rgKhKqN5t5xC9
mUYmKD2CgAIaklGW9mIOKrn9L9MCesFaNltyYQ0XyJ/UqCgVAPc6xTDU9l9SdnTp
MYymIRhpY36/GeWpDoNZuyAN/cIDsP/NU+l03iYStv5GOd5FX7jlvflPeO/6u1Mk
AnrvWP7r0/ekOgwVuMQCayXz1Ga65LEIv3ReFEX2jL2kTLmsfCB/yrj03Nr4963s
3I1edln1yAW1THOOE94XBYCXHMA0GkY4CQXD/eiCD1H0P2mTm7L5nryhf451V2yv
fzuO6Hc8/O4sYzhDfUe8kVFeNcePN4Tp5g7sx7RxQP3sq9W+s6clyX7pu/HtIcmK
CD4XGySOiQcukoS9J2d6okxR+LJBdLRZm4sEDko6jU9APPCtMI8XpbJxOzVudqYr
MclERL1pTM0t6J/DtnXW8+PPctyln5Uq3+XWWzHzGoB7v+XfUrW9iSMVm+/+L4ce
u+91YWG84oL0OLn+zy2NxQE7q2PIYB3l7O/iooRwR1wLx1iF8OTv7ckHDrJr6XTA
re4KNPEXOkd0KXqud7Nn0GOJAbCcl9dHartzUDvpMkN5is0Keh4=
=MHqj
-----END PGP SIGNATURE-----