Hi Michael, Followed your instructions and it works like a charm. Thank you! ________________________________ From: Blueonyx <blueonyx-boun...@mail.blueonyx.it> on behalf of Michael Stauber via Blueonyx <blueonyx@mail.blueonyx.it> Sent: Sunday, 24 September 2023 18:33 To: blueonyx@mail.blueonyx.it <blueonyx@mail.blueonyx.it> Subject: [BlueOnyx:26514] Re: [EXTERNAL] Re: SSL error when receiving mail from GMAIL
Hi Arie, > Vsite web- and mailserver aliases are www.ceelie.info<http://www.ceelie.info> > <http://www.ceelie.info>, ceelie.info and mail.ceelie.info. > I've selected those three in the LetsEncrypt! module. Very well. But why does ... https://www.ceelie.info/ https://mail.ceelie.info/ https://ceelie.info/ ... bring up a webpage(s) with a self-signed certificate? See: https://www.ssllabs.com/ssltest/analyze.html?d=ceelie.info&hideResults=on&ignoreMismatch=on&latest > As for the hosting DNS, these are the settings. Take a look at this: https://www.blueonyx.it/dns-for-email The righthand side of the DNS MX records (where it points to) must the the FQDN of the Vsite as shown in the Vsite List. So in your case that should be "www.ceelie.info<http://www.ceelie.info>" and not just "ceelie.info". The reason for this is how Sendmail/Postfix match the email aliases to local user accounts. Here is a third party site for checking TLS: https://www.checktls.com/ When I try it against a correctly configured 5210R or 5211R it checks out just fine. When I test it against ad...@ceelie.info it errors out because you have a self-signed SSL certificate in your certificate chain: -------------------------------------------------------------- -----END CERTIFICATE----- subject=C = NL, L = Leiden, O = Ceelie, CN = mail.ceelie.info, emailAddress = elpa...@ceelie.info issuer=C = NL, L = Leiden, O = Ceelie, CN = mail.ceelie.info, emailAddress = elpa...@ceelie.info --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2438 bytes and written 426 bytes Verification error: self-signed certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 18 (self-signed certificate) <--- !!!!! -------------------------------------------------------------- Make sure the GUI of the BlueOnyx has a valid SSL certificate (Let's Encrypt or other), too. Because in an SNI environment the GUI cert is the first certificate in the SNI certificate chain. So I see three issues: - DNS best practices for BlueOnyx not followed - BlueOnyx GUI has no valid SSL certificate - Vsite itself seems to have a self-signed certificate > When trying ... > > openssl s_client -starttls smtp -connect <servername>:<port> > > ... all three servernames/domains fail for port 25 and 587. > Port 443 gives a CONNECTED(00000003). Nothing more. Yes, because that OpenSSL client command has the option "-starttls smtp" for checking SMTP specifically. Use this to check the web based TLS: openssl s_client -connect <URL-or-IP>:443 Or this to check the GUI HTTPS: openssl s_client -connect <URL-or-IP>:81 I'm not sure what you're doing there, but either you're not supplying the correct information and the Vsite name is different than "www.ceelie.info<http://www.ceelie.info>" and/or you're not following the instructions and best practices for BlueOnyx. If you want, contact me offlist and/or supply a "Support Request" via the GUI with "Allow access" ticked and I'll take a look directly at the server. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
_______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
