TLS authentication issues with Outlook + Dovecot + Postfix + CentOS

Issues related to applications and software problems
Post Reply
axxis_inf
Posts: 1
Joined: 2022/04/18 20:21:50

TLS authentication issues with Outlook + Dovecot + Postfix + CentOS

Post by axxis_inf » 2022/04/18 20:30:57

I hope you are well! I'm new with unmanaged VPS and I'm running a Contabo server with CentOS 8 and AaPanel my problem is with the SMTP connection with Outlook, my server is only accepting SMPT connections with STARTTLS or without any kind of encryption, but I would like to accept connections with TLS, I'm using Postfix and Dovecot for email management, I'm attaching my configuration files, thank you all in advance.

NOTE: POP3 and IMAP are working perfectly; SMTP also, but in 587 port without cryptography; I had to remove some commented lines to be able to post the question here.

The problem that I can't connect with tls. I would like to send email through outlook for example, using port 587 with Tls. I would also like to send and receive using outlook forwarding service, but it doesn't work or doesn't finish the wizard setup. in the links below you have the prints of most of the information that I managed to collect. If you can take a look I would appreciate it.

Error log prints: https://imgur.com/a/94cN8ef

dovecot.conf

Code: Select all

protocols = imap pop3 lmtp

#listen = *, ::

#base_dir = /var/run/dovecot/

#instance_name = dovecot

# Greeting message for clients.
#login_greeting = Dovecot ready.

#login_trusted_networks =

# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets = 

#auth_proxy_self =

#verbose_proctitle = no

#shutdown_clients = yes

#doveadm_socket_path = doveadm-server

#import_environment = TZ

dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}

namespace inbox {
  inbox = yes

  mailbox Trash {
    auto = subscribe # autocreate and autosubscribe the Trash mailbox
    special_use = \Trash
  }
  mailbox Sent {
    auto = subscribe # autocreate and autosubscribe the Sent mailbox
    special_use = \Sent
  }
  mailbox Junk {
    auto = subscribe # autocreate and autosubscribe the Sent mailbox
    special_use = \Junk
  }
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
}

!include conf.d/*.conf

!include_try local.conf
postfix/main.cf

Code: Select all

compatibility_level = 2

#soft_bounce = no

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/libexec/postfix

data_directory = /var/lib/postfix

mail_owner = postfix

#default_privs = nobody

#myhostname = host.domain.tld
#myhostname = virtual.domain.tld

#mydomain = domain.tld

#myorigin = $myhostname
#myorigin = $mydomain

# RECEIVING MAIL

#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
inet_interfaces = all

# Enable IPv4, and IPv6 if supported
#inet_protocols = ipv4

#proxy_interfaces =
#proxy_interfaces = 1.2.3.4

mydestination = 
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
#   mail.$mydomain, www.$mydomain, ftp.$mydomain

#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =

unknown_local_recipient_reject_code = 550

#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host

#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table

#relay_domains = $mydestination

# INTERNET OR INTRANET

#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]

#relay_recipient_maps = hash:/etc/postfix/relay_recipients

#in_flow_delay = 1s

#alias_maps = dbm:/etc/aliases
alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases

#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases

#recipient_delimiter = +

#home_mailbox = Mailbox
#home_mailbox = Maildir/

#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail

#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"

#mailbox_transport = cyrus

#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =

#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local

#header_checks = regexp:/etc/postfix/header_checks

#fast_flush_domains = $relay_domains

#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)

#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20

debug_peer_level = 2

#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain

debugger_command =
     PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
     ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix

newaliases_path = /usr/bin/newaliases.postfix

mailq_path = /usr/bin/mailq.postfix

setgid_group = postdrop

html_directory = no

manpage_directory = /usr/share/man

# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
#
sample_directory = /usr/share/doc/postfix3-3.4.9/samples

# readme_directory: The location of the Postfix README files.
#
readme_directory = /usr/share/doc/postfix3-3.4.9/README_FILES
meta_directory = /etc/postfix
shlib_directory = /usr/lib/postfix
myhostname = kitnetcaioba.com.br
virtual_mailbox_domains = sqlite:/etc/postfix/sqlite_virtual_domains_maps.cf
virtual_alias_maps= sqlite:/etc/postfix/btrule.cf
virtual_mailbox_maps = sqlite:/etc/postfix/sqlite_virtual_mailbox_maps.cf, sqlite:/etc/postfix/sqlite_virtual_alias_domain_mailbox_maps.cf
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_use_tls = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
virtual_transport = lmtp:unix:private/dovecot-lmtp
smtpd_milters = inet:127.0.0.1:11332
non_smtpd_milters = inet:127.0.0.1:11332
#Adicionados 2 linhas proximas
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
milter_default_action = accept
message_size_limit = 102400000

smtp_tls_CAfile = /root/rootCACert.pem
smtpd_tls_CAfile = /root/rootCACert.pem
smtpd_tls_key_file = /www/server/panel/plugin/mail_sys/cert/mail.kitnetcaioba.com.br/fullchain.pem
smtpd_tls_cert_file = /www/server/panel/plugin/mail_sys/cert/mail.kitnetcaioba.com.br/privkey.pem
#smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
#smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param


#ssl_cert = < /www/server/panel/plugin/mail_sys/cert/kitnetcaioba.com.br/fullchain.pem
#ssl_key = < /www/server/panel/plugin/mail_sys/cert/kitnetcaioba.com.br/privkey.pem

#smtpd_tls_chain_files = /etc/pki/dovecot/private/dovecot.pem,/etc/pki/dovecot/certs#/dovecot.pem
#tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
postfix/master.cf

Code: Select all

smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
# Comentamos -o smtpd_tls_security_level=may
# Quando eu altero a linha abaixo o Outlook para .
 -o smtpd_enforce_tls=no
 -o smtpd_tls_security_level=
 -o smtpd_tls_auth_only=no
# -o smtpd_sasl_auth_enable=yes
#COmentamos  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  Original -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# Original Comentamos  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: TLS authentication issues with Outlook + Dovecot + Postfix + CentOS

Post by Whoever » 2022/04/18 23:40:24

What does Postfix's log say about the failed connection?

If connecting to port 587, you probably need to use "-starttls smtp" in your openssl command:

Code: Select all

openssl s_client -connect  mail.kitnetcaioba.com.br:587 -starttls smtp
CONNECTED(00000003)
140037073183936:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 287 bytes and written 359 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Also, this is problematic:

Code: Select all

smtp_tls_CAfile = /root/rootCACert.pem
smtpd_tls_CAfile = /root/rootCACert.pem
The webserver process should not be able to access anything in /root. You need to move these files somewhere that the webserver process can access them.

Post Reply