Sending e-mails via...
 
Notifications
Clear all

Sending e-mails via generic mail-client such as Thunderbird is not effective

3 Posts
1 Users
0 Reactions
468 Views
(@fucine)
Joined: 8 months ago
Posts: 6
Topic starter  

Seems that sending e-mails via generic mail-client such as Thunderbird is not effective (tested via SSL/TLS on 465 port):

May  1 00:26:42 mail postfix/smtps/smtpd[20034]: connect from ip16-152-107-176.pool-bba.aruba.it[176.107.152.16]
May  1 00:26:42 mail postfix/smtps/smtpd[20034]: SSL_accept error from ip16-152-107-176.pool-bba.aruba.it[176.107.152.16]: -1
May  1 00:26:42 mail postfix/smtps/smtpd[20034]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:1562:SSL alert number 48:
May  1 00:26:42 mail postfix/smtps/smtpd[20034]: lost connection after CONNECT from ip16-152-107-176.pool-bba.aruba.it[176.107.152.16]
May  1 00:26:42 mail postfix/smtps/smtpd[20034]: disconnect from ip16-152-107-176.pool-bba.aruba.it[176.107.152.16] commands=0/0

This seems to be a SSL cert related issue, even if the sending domain actually has a working Let's Encrypt certificate: https://www.sslshopper.com/ssl-checker.html#hostname=000000.it

This issue has already been faced in other occasions (there are additional posts in forum), but still no solution so far. IMHO, if it's true that this a common issue, such a problem should be fixed: it's important being able to send e-mails from a generic client, isn't it? Thanks in advance for advise.


   
Quote
(@fucine)
Joined: 8 months ago
Posts: 6
Topic starter  

In fact look at here. Self signed SSL certificate for 465:

enrico@nvme:~$ openssl s_client -connect 000000.it:465
CONNECTED(00000003)
depth=0 OU = Zextras Carbonio, CN = 000000.it
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Zextras Carbonio, CN = 000000.it
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:OU = Zextras Carbonio, CN = 000000.it
i:O = CA, OU = Zextras Carbonio, CN = 000000.it
---

On the other hand we have Let's Encrypt SSL certificate for 993:

enrico@nvme:~$ openssl s_client -connect 000000.it:993
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = 000000.it
verify return:1
---
Certificate chain
0 s:CN = 000000.it
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---

Or for 995:

enrico@nvme:~$ openssl s_client -connect 000000.it:995
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = 000000.it
verify return:1
---
Certificate chain
0 s:CN = 000000.it
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---

So this is definitely dealing with self-signed SSL certificate:

TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:1562:SSL alert number 48:

Any idea?


   
ReplyQuote
(@fucine)
Joined: 8 months ago
Posts: 6
Topic starter  

So I went ahead, and this is the final result, with regards to 465 port:

enrico@enrico-i7:~$ openssl s_client -connect mail.fucine.email:465
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.fucine.email
verify return:1
---
Certificate chain
 0 s:CN = mail.fucine.email
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:CN = mail.fucine.email
   i:C = US, O = Let's Encrypt, CN = R3
 2 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 3 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---

This was the original post, and thanks to Anahuac for the script I used, as per his suggestions: https://www.anahuac.eu/lets-encrypt-on-carbonio-system-root-with-acme-sh/
Of course with initial definitions:

root@mail:~# cat cb_ssl_acme.sh | grep email
domain="fucine.email"
certs_dom="mail.fucine.email"
dom_list="-d mail.fucine.email -d webmail.fucine.email"
cert_path="/root/.acme.sh/mail.fucine.email"

In the end I'm now the happy owner of a working (and not proxied) SMTP:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@fucine.email header.s=01216EEE-023D-11EF-987A-4AE147F8BAB3 header.b=L25mc66H;
       spf=pass (google.com: domain of server@fucine.email designates 217.198.129.96 as permitted sender) smtp.mailfrom=server@fucine.email;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fucine.email
Return-Path: <server@fucine.email>
Received: from fucine.email (ip96-129-198-217.pool-bba.aruba.it. [217.198.129.96])
        by mx.google.com with ESMTPS id x20-20020aa7d6d4000000b005729db28b97si4804821edr.93.2024.05.06.06.39.30
        for <fucine@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 06 May 2024 06:39:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of server@fucine.email designates 217.198.129.96 as permitted sender) client-ip=217.198.129.96;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@fucine.email header.s=01216EEE-023D-11EF-987A-4AE147F8BAB3 header.b=L25mc66H;
       spf=pass (google.com: domain of server@fucine.email designates 217.198.129.96 as permitted sender) smtp.mailfrom=server@fucine.email;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fucine.email
User-Agent: Mozilla Thunderbird
Received: from [192.168.178.100] (ip96-129-198-217.pool-bba.aruba.it [217.198.129.96]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by fucine.email (Postfix) with ESMTPSA id 9908638EA9D for <fucine@gmail.com>; Mon,
  6 May 2024 15:39:28 +0200 (CEST)

But, in the end: are we really sure that it's fine Carbonio CE is not actually able to natively handle SMTP sessions (with CA-issued SSL certs), initiated by external mail-clients? This is quite a big obstacle, IMHO: users should not be struggling so much to just send an email by using a generic mail-client, isn't it?


   
ReplyQuote