Hi Arie,
Addressed this issue some time ago. I tried LetsEncrypt and it works
flawless on port 443, but how do I set it for port 25?
Error log:
Sep 23 18:57:19 www postfix/smtpd[249156]: connect from
mail-yw1-f175.google.com[209.85.128.175]
Sep 23 18:57:19 www postfix/smtpd[249156]: TLS SNI ceelie.info from
mail-yw1-f175.google.com[209.85.128.175] not matched, using default chain
The Google mailserver established an SMTP TLS connection to
"ceelie.info". This is not the name of your BlueOnyx itself, so if at
all, then Postfix would serve the TLS request using the SNI certificates
that may (or may not) exist for your server.
For starters: Check /etc/postfix/vsite_ssl.map to see if there is a line
starting with "ceelie.info" in it. If not, then you may not have
configured SSL correctly for that Vsite in question.
To troubleshoot this go to the Vsite of which "ceelie.info" is part of,
click on "SSL", click on the button "Let's Encrypt" and see if
"ceelie.info" is listed under "SSL domain aliases". It *should* be
listed on the lefthand side of that table, in which case it will be
included in the validity of the requested SSL certificate as a DNS Alias.
In your case "ceelie.info" wasn't a valid SSL SNI host, so no SSL
certificate was served. In fact it seems that "ceelie.info" seems to use
a self signed certificate at this time? If so, then yeah: That won't fly.
Sep 23 18:57:19 www postfix/smtpd[249156]: SSL_accept error from
mail-yw1-f175.google.com[209.85.128.175]: -1
Sep 23 18:57:19 www postfix/smtpd[249156]: warning: TLS library problem:
error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared
cipher:ssl/statem/statem_srvr.c:2285:
The SSL connection then failed, because of the missing certificate
and/or incompatibility of shared protocols.
Sep 23 18:57:19 www postfix/smtpd[249156]: lost connection after
STARTTLS from mail-yw1-f175.google.com[209.85.128.175]
And that's where Google hung up on you, ending the connection after
having found no common grounds to establish a TLS connection.
To cover all the bases, do this: In the GUI of that Vsite check that
"celie.info" is present as a "Web Server Alias" as well as a "Email
Server Alias". Make sure you have DNS A Records and DNS MX Records for it.
Then as mentioned: Under SSL management of that Vsite under "Let's
Encrypt" include all "SSL domain aliases" you want active in the
Certificate request and request a new SSL certificate.
That will then create a new SSL certificate and it will be integrated
into the SNI configuration of Dovecot and Postfix.
--
With best regards
Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
