Seems that sending e-mails via generic mail-client such as Thunderbird is not effective (tested via SSL/TLS on 465 port):
May 1 00:26:42 mail postfix/smtps/smtpd[20034]: connect from ip16-152-107-176.pool-bba.aruba.it[176.107.152.16] May 1 00:26:42 mail postfix/smtps/smtpd[20034]: SSL_accept error from ip16-152-107-176.pool-bba.aruba.it[176.107.152.16]: -1 May 1 00:26:42 mail postfix/smtps/smtpd[20034]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:1562:SSL alert number 48: May 1 00:26:42 mail postfix/smtps/smtpd[20034]: lost connection after CONNECT from ip16-152-107-176.pool-bba.aruba.it[176.107.152.16] May 1 00:26:42 mail postfix/smtps/smtpd[20034]: disconnect from ip16-152-107-176.pool-bba.aruba.it[176.107.152.16] commands=0/0
This seems to be a SSL cert related issue, even if the sending domain actually has a working Let's Encrypt certificate: https://www.sslshopper.com/ssl-checker.html#hostname=000000.it
This issue has already been faced in other occasions (there are additional posts in forum), but still no solution so far. IMHO, if it's true that this a common issue, such a problem should be fixed: it's important being able to send e-mails from a generic client, isn't it? Thanks in advance for advise.
In fact look at here. Self signed SSL certificate for 465:
enrico@nvme:~$ openssl s_client -connect 000000.it:465 CONNECTED(00000003) depth=0 OU = Zextras Carbonio, CN = 000000.it verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Zextras Carbonio, CN = 000000.it verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:OU = Zextras Carbonio, CN = 000000.it i:O = CA, OU = Zextras Carbonio, CN = 000000.it ---
On the other hand we have Let's Encrypt SSL certificate for 993:
enrico@nvme:~$ openssl s_client -connect 000000.it:993 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = 000000.it verify return:1 --- Certificate chain 0 s:CN = 000000.it i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 ---
Or for 995:
enrico@nvme:~$ openssl s_client -connect 000000.it:995 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = 000000.it verify return:1 --- Certificate chain 0 s:CN = 000000.it i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 ---
So this is definitely dealing with self-signed SSL certificate:
TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:1562:SSL alert number 48:
Any idea?
So I went ahead, and this is the final result, with regards to 465 port:
enrico@enrico-i7:~$ openssl s_client -connect mail.fucine.email:465 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = mail.fucine.email verify return:1 --- Certificate chain 0 s:CN = mail.fucine.email i:C = US, O = Let's Encrypt, CN = R3 1 s:CN = mail.fucine.email i:C = US, O = Let's Encrypt, CN = R3 2 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 3 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 ---
This was the original post, and thanks to Anahuac for the script I used, as per his suggestions: https://www.anahuac.eu/lets-encrypt-on-carbonio-system-root-with-acme-sh/
Of course with initial definitions:
root@mail:~# cat cb_ssl_acme.sh | grep email domain="fucine.email" certs_dom="mail.fucine.email" dom_list="-d mail.fucine.email -d webmail.fucine.email" cert_path="/root/.acme.sh/mail.fucine.email"
In the end I'm now the happy owner of a working (and not proxied) SMTP:
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@fucine.email header.s=01216EEE-023D-11EF-987A-4AE147F8BAB3 header.b=L25mc66H;
spf=pass (google.com: domain of server@fucine.email designates 217.198.129.96 as permitted sender) smtp.mailfrom=server@fucine.email;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fucine.email
Return-Path: <server@fucine.email>
Received: from fucine.email (ip96-129-198-217.pool-bba.aruba.it. [217.198.129.96])
by mx.google.com with ESMTPS id x20-20020aa7d6d4000000b005729db28b97si4804821edr.93.2024.05.06.06.39.30
for <fucine@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 06 May 2024 06:39:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of server@fucine.email designates 217.198.129.96 as permitted sender) client-ip=217.198.129.96;
Authentication-Results: mx.google.com;
dkim=pass header.i=@fucine.email header.s=01216EEE-023D-11EF-987A-4AE147F8BAB3 header.b=L25mc66H;
spf=pass (google.com: domain of server@fucine.email designates 217.198.129.96 as permitted sender) smtp.mailfrom=server@fucine.email;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fucine.email
User-Agent: Mozilla Thunderbird
Received: from [192.168.178.100] (ip96-129-198-217.pool-bba.aruba.it [217.198.129.96]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by fucine.email (Postfix) with ESMTPSA id 9908638EA9D for <fucine@gmail.com>; Mon, 6 May 2024 15:39:28 +0200 (CEST)
But, in the end: are we really sure that it's fine Carbonio CE is not actually able to natively handle SMTP sessions (with CA-issued SSL certs), initiated by external mail-clients? This is quite a big obstacle, IMHO: users should not be struggling so much to just send an email by using a generic mail-client, isn't it?