since a couple of days one of users reported getting expired certificate error in TB, looking at the log, I can see like:
Mar 02 21:46:24 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=111.222.333.444, lip=103.106.168.105, TLS: SSL_read failed: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired: SSL alert number 45, session=<...>
but, looking at server with https://ssl-tools.net/mailservers/emu.sbt.net.au it says 'valid' as does certbot tool
what am I missing ?
Expiry Date: 2021-04-27 12:11:32+00:00 (VALID: 55 days) Certificate Path: /etc/letsencrypt/live/emu.sbt.net.au/fullchain.pem Private Key Path: /etc/letsencrypt/live/emu.sbt.net.au/privkey.pem
# grep ssl_ dovecot.conf
ssl_cert = </etc/letsencrypt/live/emu.sbt.net.au/fullchain.pem ssl_key = </etc/letsencrypt/live/emu.sbt.net.au/privkey.pem ssl_dh=</etc/dovecot/dh.pem
Le 02/03/2021 à 13:29, Voytek Eymont a écrit :
since a couple of days one of users reported getting expired certificate error in TB, looking at the log, I can see like:
Mar 02 21:46:24 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=111.222.333.444, lip=103.106.168.105, TLS: SSL_read failed: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired: SSL alert number 45, session=<...>
Here it is the certificate presented on the pop3 port (either port 110 with a STLS command or port 995)
but, looking at server with https://ssl-tools.net/mailservers/emu.sbt.net.au it says 'valid' as does certbot tool
Here it seems te site tests the smtp server (on port 25), which is not handled by dovecot. You probably have different certificates on both.
Looks fine from my side, both on pop3s
ychaouche#ychaouche-PC 13:58:25 ~ $ openssl s_client -connect 103.106.168.105:*995* -CApath /etc/ssl/certs CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = emu.sbt.net.au verify return:1
Certificate chain 0 s:/CN=emu.sbt.net.au i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- subject=/CN=emu.sbt.net.au issuer=/C=US/O=Let's Encrypt/CN=R3
[...] Start Time: 1614694135 Timeout : 300 (sec) *Verify return code: 0 (ok)*
+OK Dovecot ready. ^C ychaouche#ychaouche-PC 15:09:01 ~ $
and on pop3 with starttls
ychaouche#ychaouche-PC 15:14:28 ~ $ openssl s_client*-starttls pop3* -connect 103.106.168.105*:pop3* -CApath /etc/ssl/certs CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = emu.sbt.net.au verify return:1
Certificate chain 0 s:/CN=emu.sbt.net.au i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- subject=/CN=emu.sbt.net.au issuer=/C=US/O=Let's Encrypt/CN=R3
[...] Start Time: 1614694499 Timeout : 300 (sec) Verify return code: 0 (ok)
+OK Dovecot ready. ^C ychaouche#ychaouche-PC 15:15:04 ~ $
Le 3/2/21 à 1:41 PM, Erwan David a écrit :
Le 02/03/2021 à 13:29, Voytek Eymont a écrit :
since a couple of days one of users reported getting expired certificate error in TB, looking at the log, I can see like:
Mar 02 21:46:24 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=111.222.333.444, lip=103.106.168.105, TLS: SSL_read failed: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired: SSL alert number 45, session=<...>
Here it is the certificate presented on the pop3 port (either port 110 with a STLS command or port 995)
but, looking at server with https://ssl-tools.net/mailservers/emu.sbt.net.au it says 'valid' as does certbot tool
Here it seems te site tests the smtp server (on port 25), which is not handled by dovecot. You probably have different certificates on both.
On Wed, March 3, 2021 1:17 am, Yassine Chaouche wrote:
Erwan, Yassine,
thanks.
hmm, just tried this, 110/143 gives error, 995/993 doesn't:
I'll try changing in TB to SSL/TLS not StartTLS, 995 or 993, etc, and, see if error goes
# echo | openssl s_client -connect emu.sbt.net.au:110 2>/dev/null | openssl x509 -noout -enddate unable to load certificate 139830305752976:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
# echo | openssl s_client -connect emu.sbt.net.au:995 2>/dev/null | openssl x509 -noout -enddate notAfter=Apr 27 12:11:32 2021 GMT
Looks fine from my side, both on pop3s
ychaouche#ychaouche-PC 13:58:25 ~ $ openssl s_client -connect 103.106.168.105:*995* -CApath /etc/ssl/certs CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = emu.sbt.net.au verify return:1 --- Certificate chain 0 s:/CN=emu.sbt.net.au i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- subject=/CN=emu.sbt.net.au issuer=/C=US/O=Let's Encrypt/CN=R3 --- [...] Start Time: 1614694135 Timeout : 300 (sec) *Verify return code: 0 (ok)*
+OK Dovecot ready. ^C ychaouche#ychaouche-PC 15:09:01 ~ $
and on pop3 with starttls
ychaouche#ychaouche-PC 15:14:28 ~ $ openssl s_client*-starttls pop3* -connect 103.106.168.105*:pop3* -CApath /etc/ssl/certs CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = emu.sbt.net.au verify return:1 --- Certificate chain 0 s:/CN=emu.sbt.net.au i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- subject=/CN=emu.sbt.net.au issuer=/C=US/O=Let's Encrypt/CN=R3 --- [...] Start Time: 1614694499 Timeout : 300 (sec) Verify return code: 0 (ok)
+OK Dovecot ready. ^C ychaouche#ychaouche-PC 15:15:04 ~ $
Le 3/2/21 à 1:41 PM, Erwan David a écrit :
Le 02/03/2021 à 13:29, Voytek Eymont a écrit :
since a couple of days one of users reported getting expired certificate error in TB, looking at the log, I can see like:
Mar 02 21:46:24 pop3-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=111.222.333.444, lip=103.106.168.105, TLS: SSL_read failed: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired: SSL alert number 45, session=<...>
Here it is the certificate presented on the pop3 port (either port 110 with a STLS command or port 995)
but, looking at server with https://ssl-tools.net/mailservers/emu.sbt.net.au it says 'valid' as does certbot tool
Here it seems te site tests the smtp server (on port 25), which is not handled by dovecot. You probably have different certificates on both.
# echo | openssl s_client -connect emu.sbt.net.au:110 2>/dev/null | openssl x509 -noout -enddate unable to load certificate 139830305752976:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
Your test does not use starttls on port 110, could you retry like this?: echo | openssl s_client -connect emu.sbt.net.au:110 -starttls pop3 2>/dev/null | openssl x509 -noout -enddate
Is the clients time / date properly configured? For me all your pop3s/imaps/smtps ports answer fine.
Le 3/2/21 à 9:02 PM, Matthias Kneer a écrit :
# echo | openssl s_client -connect emu.sbt.net.au:110 2>/dev/null | openssl x509 -noout -enddate unable to load certificate 139830305752976:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
Your test does not use starttls on port 110, could you retry like this?: echo | openssl s_client -connect emu.sbt.net.au:110 -starttls pop3 2>/dev/null | openssl x509 -noout -enddate
Is the clients time / date properly configured? For me all your pop3s/imaps/smtps ports answer fine. I am intrigued about the function of echo in that command line ?
-- Yassine.
On 03 Mar 2021, at 02:13, Yassine Chaouche <a.chaouche@algerian-radio.dz> wrote:
Le 3/2/21 à 9:02 PM, Matthias Kneer a écrit :
echo | openssl s_client -connect emu.sbt.net.au:110 -starttls pop3 2>/dev/null | openssl x509 -noout -enddate
I am intrigued about the function of echo in that command line ?
Did you try the command without eh "echo |"?
With the cho, the command returns the date immediately and ends. Without it, it returns the date and doe not end until you press return again.
For the record, you really should just use the proper port 995.
-- "Are you pondering what I'm pondering?" "Are you pondering cheesesticks?"
On Wed, 3 Mar 2021, Yassine Chaouche wrote:
Le 3/2/21 ? 9:02 PM, Matthias Kneer a ?crit :
# echo | openssl s_client -connect emu.sbt.net.au:110 2>/dev/null | openssl x509 -noout -enddate
I am intrigued about the function of echo in that command line ?
It just a dummy input so that openssl s_client does wait for data from stdin. The OP could have also done
openssl s_client ... </dev/null
Joseph Tam <jtam.home@gmail.com>
Citeren Voytek Eymont <voytek@sbt.net.au>:
On Wed, March 3, 2021 1:17 am, Yassine Chaouche wrote: hmm, just tried this, 110/143 gives error, 995/993 doesn't:
I'll try changing in TB to SSL/TLS not StartTLS, 995 or 993, etc, and, see if error goes
# echo | openssl s_client -connect emu.sbt.net.au:110 2>/dev/null | openssl x509 -noout -enddate
On port 110/143 you need to tell the POP3/IMAP server to upgrade the
connection to TLS. In that case, it will work just fine:
# echo | openssl s_client -connect emu.sbt.net.au:110 -starttls pop3
2>/dev/null | openssl x509 -noout -enddate
notAfter=Apr 27 12:11:32 2021 GMT
#echo | openssl s_client -connect emu.sbt.net.au:143 -starttls imap
2>/dev/null | openssl x509 -noout -enddate
notAfter=Apr 27 12:11:32 2021 GMT
Remember that there is a difference between connections that are
upgraded to TLS (110/143) and connections that use SSL by default
(995/993). If you don't tell the first that you want to use TLS, the
server will not present the certificate, unlike the latter.
Regards, Arjen
Le 3/2/21 à 9:04 PM, Arjen de Korte a écrit :
Citeren Voytek Eymont <voytek@sbt.net.au>:
On Wed, March 3, 2021 1:17 am, Yassine Chaouche wrote: hmm, just tried this, 110/143 gives error, 995/993 doesn't:
I'll try changing in TB to SSL/TLS not StartTLS, 995 or 993, etc, and, see if error goes
# echo | openssl s_client -connect emu.sbt.net.au:110 2>/dev/null | openssl x509 -noout -enddate
On port 110/143 you need to tell the POP3/IMAP server to upgrade the connection to TLS. In that case, it will work just fine:
# echo | openssl s_client -connect emu.sbt.net.au:110 -starttls pop3 2>/dev/null | openssl x509 -noout -enddate notAfter=Apr 27 12:11:32 2021 GMT
#echo | openssl s_client -connect emu.sbt.net.au:143 -starttls imap 2>/dev/null | openssl x509 -noout -enddate notAfter=Apr 27 12:11:32 2021 GMT
Remember that there is a difference between connections that are upgraded to TLS (110/143) and connections that use SSL by default (995/993). If you don't tell the first that you want to use TLS, the server will not present the certificate, unlike the latter.
Regards, Arjen
*tl;dr *: use*-starttls *if you want TLS on a non-TLS port.
-- Yassine
participants (7)
-
@lbutlr
-
Arjen de Korte
-
Erwan David
-
Joseph Tam
-
Matthias Kneer
-
Voytek Eymont
-
Yassine Chaouche