courieresmtpd: STARTTLS failed: Certificate is bad

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

courieresmtpd: STARTTLS failed: Certificate is bad

Lucio Crusca-2
Hello,

I've just installed a new Courier instance in a new Debian GNU/Linux 9
amd64 server from distro packages.

This Courier should act as smart relay for another server and nothing else.

So far I've enabled courier-mta and courier-msa systemd services,
changed the ports they listed on and created a real system account for
mail relay (authpam). I've also let

TLS_VERIFYPEER=NONE

in /etc/courier/courierd.

Then I tested the smarthost from Thunderbird, by configuring it as
outgoing server. It does not work. When TB tries to send a message, it
connects to the non-default MSA port, it starts talking to the server
(STARTTLS) for a few seconds, then it fails for "unknown reason".
Server-side, in the logs, I get:

Jul 19 04:48:17 mrelay courieresmtpd: started,ip=[::ffff:80.180.158.103]
Jul 19 04:48:18 mrelay courieresmtpd: courieresmtpd: STARTTLS failed:
Certificate is bad

I don't know what to try next.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: courieresmtpd: STARTTLS failed: Certificate is bad

Sam Varshavchik
Lucio Crusca writes:

> Hello,
>
> I've just installed a new Courier instance in a new Debian GNU/Linux 9 amd64  
> server from distro packages.
>
> This Courier should act as smart relay for another server and nothing else.
>
> So far I've enabled courier-mta and courier-msa systemd services, changed  
> the ports they listed on and created a real system account for mail relay  
> (authpam). I've also let
>
> TLS_VERIFYPEER=NONE
>
> in /etc/courier/courierd.
>
> Then I tested the smarthost from Thunderbird, by configuring it as outgoing  
> server. It does not work. When TB tries to send a message, it connects to  
> the non-default MSA port, it starts talking to the server (STARTTLS) for a  
> few seconds, then it fails for "unknown reason". Server-side, in the logs, I  
> get:
>
> Jul 19 04:48:17 mrelay courieresmtpd: started,ip=[::ffff:80.180.158.103]
> Jul 19 04:48:18 mrelay courieresmtpd: courieresmtpd: STARTTLS failed:  
> Certificate is bad
>
> I don't know what to try next.
Check the server's certificate, esmtpd.pem. That's the only certificate in  
play here. The file is probably corrupted.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

attachment0 (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: courieresmtpd: STARTTLS failed: Certificate is bad

Lucio Crusca-2


Il 19/07/2017 12:56, Sam Varshavchik ha scritto:
> Check the server's certificate, esmtpd.pem. That's the only certificate
> in play here. The file is probably corrupted.

At first glance it seems ok, the structure is the same as another file
in another Courier server I run that works correctly (except the keys
are not the same, obviousy).

I haven't created that file myself nor obtained it from third parties:
it's the self signed certificate provided by the default courier
packages installation.



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: courieresmtpd: STARTTLS failed: Certificate is bad

Lucio Crusca-2


Il 19/07/2017 15:46, PICCORO McKAY Lenz ha scritto:
> you sould recreate and then test it!
>

Forgot to mention, but I did remove the courier packages, the
/etc/courier folder, the APT package cache and reinstalled.

During reinstallation the system created the self signed certificate
again, but nothing changed.

Client side this is what I get:

$ swaks -a -tls -q HELO -s mrelay -au test -ap '<>' -p 25587
=== Trying mrelay:25587...
=== Connected to mrelay.
<** Timeout (30 secs) waiting for server response
  -> QUIT
<** 220 mrelay ESMTP
=== Connection closed with remote host.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: courieresmtpd: STARTTLS failed: Certificate is bad

PICCORO McKAY Lenz
do you reported again debian bug tracker? using reporbug ? (well today its not as was in the past but it must report too)

Lenz McKAY Gerardo (PICCORO)

2017-07-19 9:57 GMT-04:00 Lucio Crusca <[hidden email]>:


Il 19/07/2017 15:46, PICCORO McKAY Lenz ha scritto:
you sould recreate and then test it!


Forgot to mention, but I did remove the courier packages, the /etc/courier folder, the APT package cache and reinstalled.

During reinstallation the system created the self signed certificate again, but nothing changed.

Client side this is what I get:

$ swaks -a -tls -q HELO -s mrelay -au test -ap '<>' -p 25587
=== Trying mrelay:25587...
=== Connected to mrelay.
<** Timeout (30 secs) waiting for server response
 -> QUIT
<** 220 mrelay ESMTP
=== Connection closed with remote host.



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: courieresmtpd: STARTTLS failed: Certificate is bad

Lucio Crusca-2
Il 19/07/2017 16:00, PICCORO McKAY Lenz ha scritto:
> do you reported again debian bug tracker? using reporbug ?

Well no, but before reporting I'd like to be sure it's not my fault.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: courieresmtpd: STARTTLS failed: Certificate is bad

Matus UHLAR - fantomas
In reply to this post by Lucio Crusca-2
>Il 19/07/2017 15:46, PICCORO McKAY Lenz ha scritto:
>>you sould recreate and then test it!

On 19.07.17 15:57, Lucio Crusca wrote:
>Forgot to mention, but I did remove the courier packages, the
>/etc/courier folder, the APT package cache and reinstalled.

Did you remove or purge the packages?
The quite common problem on debian and derivatives is that you remove
packages, but don't purge (clean up configuration files).

Package management remembers that the configuration diles are installed and
does not create them. When you remove them manually, they won't get
installed either.

This can lead to troubles similar to those you describe.

>During reinstallation the system created the self signed certificate
>again, but nothing changed.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: courieresmtpd: STARTTLS failed: Certificate is bad

Lucio Crusca-2
Il 19/07/2017 17:06, Matus UHLAR - fantomas ha scritto:
>> Il 19/07/2017 15:46, PICCORO McKAY Lenz ha scritto:
>>> you sould recreate and then test it!
>
> On 19.07.17 15:57, Lucio Crusca wrote:
>> Forgot to mention, but I did remove the courier packages, the
>> /etc/courier folder, the APT package cache and reinstalled.
>
> Did you remove or purge the packages?

Purged.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: courieresmtpd: STARTTLS failed: Certificate is bad

Alessandro Vesely
In reply to this post by Lucio Crusca-2
On Wed 19/Jul/2017 14:28:23 +0200 Lucio Crusca wrote:

> Il 19/07/2017 12:56, Sam Varshavchik ha scritto:
>> Check the server's certificate, esmtpd.pem. That's the only certificate
>> in play here. The file is probably corrupted.
>
> At first glance it seems ok, the structure is the same as another file in
> another Courier server I run that works correctly (except the keys are not the
> same, obviously).
>
> I haven't created that file myself nor obtained it from third parties: it's the
> self signed certificate provided by the default courier packages installation.

Did you actually check it?  I mean

  certtool -i --infile /etc/courier/esmtpd.pem

or

  openssl x509 -text -in /etc/courier/esmtpd.pem

Ale

































------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: courieresmtpd: STARTTLS failed: Certificate is bad

Lucio Crusca-2
Il 19/07/2017 19:22, Alessandro Vesely ha scritto:
> Did you actually check it?  I mean
>
>   certtool -i --infile /etc/courier/esmtpd.pem
>
> or
>
>   openssl x509 -text -in /etc/courier/esmtpd.pem

Both tools read the file without errors and display the certificate
informations, the modulus, the signature and the certificate.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: courieresmtpd: STARTTLS failed: Certificate is bad

Markus Wanner
In reply to this post by Lucio Crusca-2
Hello Lucio,

On 07/19/2017 11:26 AM, Lucio Crusca wrote:
> So far I've enabled courier-mta and courier-msa systemd services,
> changed the ports they listed on and created a real system account for
> mail relay (authpam). I've also let
>
> TLS_VERIFYPEER=NONE

Could it be an invalid peer certificate none the less? Does the same
message appear if you try with openssl as the client, i.e.:

  openssl s_client -starttls smtp -crlf -connect $HOST:587

> Jul 19 04:48:17 mrelay courieresmtpd: started,ip=[::ffff:80.180.158.103]
> Jul 19 04:48:18 mrelay courieresmtpd: courieresmtpd: STARTTLS failed:
> Certificate is bad
>
> I don't know what to try next.

Permissions of /etc/courier/esmtpd.pem?

Is it a PRIVATE KEY followed by the CERTIFICATE(s)?

..just a few checks that come to mind, might well be irrelevant, though.

Kind Regards

Markus Wanner


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: courieresmtpd: STARTTLS failed: Certificate is bad

Alessandro Vesely
In reply to this post by Lucio Crusca-2
On Wed 19/Jul/2017 22:22:13 +0200 Lucio Crusca wrote:

> Il 19/07/2017 19:22, Alessandro Vesely ha scritto:
>> Did you actually check it?  I mean
>>
>>   certtool -i --infile /etc/courier/esmtpd.pem
>>
>> or
>>
>>   openssl x509 -text -in /etc/courier/esmtpd.pem
>
> Both tools read the file without errors and display the certificate
> informations, the modulus, the signature and the certificate.

You could try:

   TLS_CERTFILE=/etc/courier/esmtpd.pem couriertls -tcpd < /dev/null

This will fail, complaining that /dev/null is not a socket.  However, any
permissions problem, malformed file, and similar will be spotted before.

Ale

























------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Loading...