[BlueOnyx:26511] Re: Strange SSL error

2023-09-23 Thread Rodrigo OrdoƱez Licona via Blueonyx 
Hi,

We are still ahving this problem on a newly yummed 5211, Server offer the
BX.Host certificate instead of the domain when using 
outlook with pops and smtps ,

Certificate is letsencrypt 

Do I have to install an specific package to receive the correction, The
domain only has 1 alias.

Regards

Rodrigo o
Xnet

-Mensaje original-
De: Blueonyx  En nombre de Michael
Stauber via Blueonyx
Enviado el: lunes, 18 de septiembre de 2023 06:09 p. m.
Para: Colin Jack ; BlueOnyx General Mailing List

Asunto: [BlueOnyx:26486] Re: Strange SSL error

Hi Colin,

> Unfortunately that hasn't fixed it.
> I set up a test and still get a problem.
> 
> The vsite in question has the main host FQDN with 3 aliases:
> 
> So vsite is for example mail.domain.com Also aliases smtp.domain.com, 
> pop.domain.com
> 
> If the email client settings use incoming server as mail.domain.com all
works fine.
> If the email client uses either of the aliases it fails - returning 
> the BX host cert. :-/

Indeed. I just replicated that setup on a test box and did some testing. 
The revised code from last weekend indeed wasn't catching all "DNS:" 
entries from the parsed SSL cert. If that line had three entries, it caught
the first and last entry and ignored the middle one.

I just published new base-email-* RPMs for BlueOnyx 5210R and 5211R which
fix this issue.

Please do another "yum clean all" and "yum update" to get these updates. 
That will then also automatically restart CCEd, which will then fix the SNI
cert configs for both Dovecot and Postfix.

Sorry about that.

--
With best regards

Michael Stauber

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26510] Re: Strange SSL error

2023-09-23 Thread Michael Stauber via Blueonyx 

Hi Rodrigo,

We are still ahving this problem on a newly yummed 5211, Server offer the > BX.Host certificate instead of the domain when using> outlook with 
pops and smtps ,> > Certificate is letsencrypt> > Do I have to install 
an specific package to receive the correction, The> domain only has 1 alias.
No, this should already work fine. You could try to restart CCEd to 
force an update of the SSL configuration for Postfix and Dovecot, though:


/usr/sausalito/sbin/cced.init restart

You can also test the TLS connection agains Postfix this way:

openssl s_client -starttls smtp -connect :587

Just replace  with the fully qualified domain name you want to test.

Example:

openssl s_client -starttls smtp -connect 5210r2.smd.net:587

That is a Vsite on a 5210R with an LE cert. In the output the relevant 
lines are this:


mstauber@beast:~$ openssl s_client -starttls smtp -connect 
5210r2.smd.net:587

CONNECTED(0003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = 5210r2.smd.net 
verify return:1
---
Certificate chain
 0 s:CN = 5210r2.smd.net
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 10 07:50:50 2023 GMT; NotAfter: Dec  9 07:50:49 
2023 GMT

 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 
2025 GMT

 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 
2024 GMT

---

Above it shows the name of the certificate that answered:

depth=0 CN = 5210r2.smd.net

Also further below in the output below the raw certificate you can see 
something like this:


-END CERTIFICATE-
subject=CN = 5210r2.smd.net
issuer=C = US, O = Let's Encrypt, CN = R3

That also (again) tells us which domain the cert is valid for and the 
issuer.


Try it with the FQDN of the Vsite that is not working and see if the 
cert validity that shows up is for the Vsite or for the server.


--
With best regards

Michael Stauber

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26509] Re: SSL error when receiving mail from GMAIL

2023-09-23 Thread Michael Stauber via Blueonyx 

Hi Larry,


   Hmmm, not sure this will every work - and if it does work with
Google it will break most other mail servers that try to talk to you.
Port 25 is the original email port (sendmail) and is no auth, no SSL/TLS
on purpose.  As defined by the IETF, port 465 is the SSL/TLS port for
sendmail, and port 587 is the authenticated, with SSL/TLS port.

   Not withstanding that, your error is no acceptable cipher for you
and gmail to agree upon.  Port 443 is web (http / Apache) and postfix
is mail.  Is it possible that you email is not configured to use the
keys you created??


In 5210R and 5211R the SSL certificates of Vsites are used for HTTPS in 
Apache and/or Nginx. But they are are also tied into Dovecot for POP3 
and IMAP as well as into Postfix.


This was also in large part the drive to switch newer BlueOnyx versions 
from Sendmail to Postfix, as Postfix supports SNI and Sendmail doesn't.


So if you run a BlueOnyx 5210R or 5211R, have it configured to use 
Postfix and have "Enable SMTPS Server" enabled? It will not only use the 
GUI's SSL certificate, but also the SSL certificates of all Vsites to 
answer to TLS connections.


The SNI Email integration in BlueOnyx is explained here:

Postfix:
https://www.blueonyx.it/news/267/15/5210R-Postfix-SNI-for-email-and-Maildir/

Dovecot:
https://www.blueonyx.it/news/266/15/5209R5210R-SNI-support-added-to-Dovecot/

But yeah, in Arie's case there was something off. His SNI certificates 
didn't include validity for the requested domain and there also seems to 
have been a protocol/cipher mismatch.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26508] Re: SSL error when receiving mail from GMAIL

2023-09-23 Thread Larry Smith via Blueonyx 
Ceelie,

  Hmmm, not sure this will every work - and if it does work with
Google it will break most other mail servers that try to talk to you.
Port 25 is the original email port (sendmail) and is no auth, no SSL/TLS
on purpose.  As defined by the IETF, port 465 is the SSL/TLS port for 
sendmail, and port 587 is the authenticated, with SSL/TLS port.

  Not withstanding that, your error is no acceptable cipher for you
and gmail to agree upon.  Port 443 is web (http / Apache) and postfix
is mail.  Is it possible that you email is not configured to use the
keys you created??

-- 
Larry Smith
lesm...@ecsis.net

On Sat September 23 2023 13:09, Ceelie, Arie (VodafoneZiggo) via Blueonyx 
wrote:
> Addressed this issue some time ago. I tried LetsEncrypt and it works
> flawless on port 443, but how do I set it for port 25?
>
> Error log:
>
> Sep 23 18:57:19 www postfix/smtpd[249156]: connect from
> mail-yw1-f175.google.com[209.85.128.175] Sep 23 18:57:19 www
> postfix/smtpd[249156]: TLS SNI ceelie.info from
> mail-yw1-f175.google.com[209.85.128.175] not matched, using default chain
> Sep 23 18:57:19 www postfix/smtpd[249156]: SSL_accept error from
> mail-yw1-f175.google.com[209.85.128.175]: -1 Sep 23 18:57:19 www
> postfix/smtpd[249156]: warning: TLS library problem: error:1417A0C1:SSL
> routines:tls_post_process_client_hello:no shared
> cipher:ssl/statem/statem_srvr.c:2285: Sep 23 18:57:19 www
> postfix/smtpd[249156]: lost connection after STARTTLS from
> mail-yw1-f175.google.com[209.85.128.175] Sep 23 18:57:19 www
> postfix/smtpd[249156]: disconnect from
> mail-yw1-f175.google.com[209.85.128.175] ehlo=1 starttls=0/1 commands=1/2
>
>
>
> C2 VodafoneZiggo Internal
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26507] Re: SSL error when receiving mail from GMAIL

2023-09-23 Thread Michael Stauber via Blueonyx 

Hi Arie,

Addressed this issue some time ago. I tried LetsEncrypt and it works 
flawless on port 443, but how do I set it for port 25?


Error log:

Sep 23 18:57:19 www postfix/smtpd[249156]: connect from 
mail-yw1-f175.google.com[209.85.128.175]


Sep 23 18:57:19 www postfix/smtpd[249156]: TLS SNI ceelie.info from 
mail-yw1-f175.google.com[209.85.128.175] not matched, using default chain


The Google mailserver established an SMTP TLS connection to 
"ceelie.info". This is not the name of your BlueOnyx itself, so if at 
all, then Postfix would serve the TLS request using the SNI certificates 
that may (or may not) exist for your server.


For starters: Check /etc/postfix/vsite_ssl.map to see if there is a line 
starting with "ceelie.info" in it. If not, then you may not have 
configured SSL correctly for that Vsite in question.


To troubleshoot this go to the Vsite of which "ceelie.info" is part of, 
click on "SSL", click on the button "Let's Encrypt" and see if 
"ceelie.info" is listed under "SSL domain aliases". It *should* be 
listed on the lefthand side of that table, in which case it will be 
included in the validity of the requested SSL certificate as a DNS Alias.


In your case "ceelie.info" wasn't a valid SSL SNI host, so no SSL 
certificate was served. In fact it seems that "ceelie.info" seems to use 
a self signed certificate at this time? If so, then yeah: That won't fly.


Sep 23 18:57:19 www postfix/smtpd[249156]: SSL_accept error from 
mail-yw1-f175.google.com[209.85.128.175]: -1


Sep 23 18:57:19 www postfix/smtpd[249156]: warning: TLS library problem: 
error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared 
cipher:ssl/statem/statem_srvr.c:2285:


The SSL connection then failed, because of the missing certificate 
and/or incompatibility of shared protocols.


Sep 23 18:57:19 www postfix/smtpd[249156]: lost connection after 
STARTTLS from mail-yw1-f175.google.com[209.85.128.175]


And that's where Google hung up on you, ending the connection after 
having found no common grounds to establish a TLS connection.


To cover all the bases, do this: In the GUI of that Vsite check that 
"celie.info" is present as a "Web Server Alias" as well as a "Email 
Server Alias". Make sure you have DNS A Records and DNS MX Records for it.


Then as mentioned: Under SSL management of that Vsite under "Let's 
Encrypt" include all "SSL domain aliases" you want active in the 
Certificate request and request a new SSL certificate.


That will then create a new SSL certificate and it will be integrated 
into the SNI configuration of Dovecot and Postfix.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26506] Re: [EXTERNAL] Re: Error when deleting VSite

2023-09-23 Thread Ceelie, Arie (VodafoneZiggo) via Blueonyx 
One down, one to go. the SSL issue when sending mail from GMAIL to my 
server



Like I suspected: SQL errror. But this also reminds me to change that
handler to soft-fail and still allow Vsite deletion. Even if it
potentially leaves the SQL user and DBs around.



C2 VodafoneZiggo Internal
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26505] SSL error when receiving mail from GMAIL

2023-09-23 Thread Ceelie, Arie (VodafoneZiggo) via Blueonyx 
Addressed this issue some time ago. I tried LetsEncrypt and it works flawless 
on port 443, but how do I set it for port 25?

Error log:

Sep 23 18:57:19 www postfix/smtpd[249156]: connect from 
mail-yw1-f175.google.com[209.85.128.175]
Sep 23 18:57:19 www postfix/smtpd[249156]: TLS SNI ceelie.info from 
mail-yw1-f175.google.com[209.85.128.175] not matched, using default chain
Sep 23 18:57:19 www postfix/smtpd[249156]: SSL_accept error from 
mail-yw1-f175.google.com[209.85.128.175]: -1
Sep 23 18:57:19 www postfix/smtpd[249156]: warning: TLS library problem: 
error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared 
cipher:ssl/statem/statem_srvr.c:2285:
Sep 23 18:57:19 www postfix/smtpd[249156]: lost connection after STARTTLS from 
mail-yw1-f175.google.com[209.85.128.175]
Sep 23 18:57:19 www postfix/smtpd[249156]: disconnect from 
mail-yw1-f175.google.com[209.85.128.175] ehlo=1 starttls=0/1 commands=1/2



C2 VodafoneZiggo Internal
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26504] Re: [EXTERNAL] Re: Error when deleting VSite

2023-09-23 Thread Michael Stauber via Blueonyx 

Hi Arie,


Found the solution in
https://www.mail-archive.com/blueonyx@mail.blueonyx.it/msg17128.html 



Like I suspected: SQL errror. But this also reminds me to change that 
handler to soft-fail and still allow Vsite deletion. Even if it 
potentially leaves the SQL user and DBs around.


--
With best regards

Michael Stauber
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26503] Re: [EXTERNAL] Re: Error when deleting VSite

2023-09-23 Thread Ceelie, Arie (VodafoneZiggo) via Blueonyx 
Found the solution in
https://www.mail-archive.com/blueonyx@mail.blueonyx.it/msg17128.html

Thanx, all!



C2 VodafoneZiggo Internal


From: Ceelie, Arie (VodafoneZiggo) 
Sent: Saturday, 23 September 2023 16:06
To: BlueOnyx General Mailing List 
Subject: Re: [EXTERNAL] [BlueOnyx:26499] Re: Error when deleting VSite

P.S.


when trying to delete in the GUI, /var/log/messages shows this:

Sep 23 16:02:12 www cced(smd)[128308]: client [0:128283] has admin rights
Sep 23 16:02:12 www cced(smd)[128308]: client 9:[0:128283]: DESTROY  60
Sep 23 16:02:12 www cced(smd)[128308]: -- handler returned 1
Sep 23 16:02:12 www cced(smd)[128308]: handler 
handlers/Compass/webapps/vsite_userdel.pl failed
Sep 23 16:02:12 www cced(smd)[128308]: client 9:[0:128283]: DESTROY failed


/var/log/messages says
Sep 23 13:43:39 www cced(smd)[75627]: client [0:75614] has admin rights
Sep 23 13:43:39 www cced(smd)[75627]: client 0:[0:75614]: AUTHKEY to user "" 
failed
Sep 23 13:43:39 www cced(smd)[75627]: client 0:[0:75614]: DESTROY  60
Sep 23 13:43:39 www cced(smd)[75627]: -- handler returned 1
Sep 23 13:43:39 www cced(smd)[75627]: handler 
handlers/Compass/webapps/vsite_userdel.pl failed
Sep 23 13:43:39 www cced(smd)[75627]: client 0:[0:75614]: DESTROY failed

Any suggestions?

Thanks,

Arie

___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26502] Re: [EXTERNAL] Re: Error when deleting VSite

2023-09-23 Thread Ceelie, Arie (VodafoneZiggo) via Blueonyx 
P.S.


when trying to delete in the GUI, /var/log/messages shows this:

Sep 23 16:02:12 www cced(smd)[128308]: client [0:128283] has admin rights
Sep 23 16:02:12 www cced(smd)[128308]: client 9:[0:128283]: DESTROY  60
Sep 23 16:02:12 www cced(smd)[128308]: -- handler returned 1
Sep 23 16:02:12 www cced(smd)[128308]: handler 
handlers/Compass/webapps/vsite_userdel.pl failed
Sep 23 16:02:12 www cced(smd)[128308]: client 9:[0:128283]: DESTROY failed


/var/log/messages says
Sep 23 13:43:39 www cced(smd)[75627]: client [0:75614] has admin rights
Sep 23 13:43:39 www cced(smd)[75627]: client 0:[0:75614]: AUTHKEY to user "" 
failed
Sep 23 13:43:39 www cced(smd)[75627]: client 0:[0:75614]: DESTROY  60
Sep 23 13:43:39 www cced(smd)[75627]: -- handler returned 1
Sep 23 13:43:39 www cced(smd)[75627]: handler 
handlers/Compass/webapps/vsite_userdel.pl failed
Sep 23 13:43:39 www cced(smd)[75627]: client 0:[0:75614]: DESTROY failed

Any suggestions?

Thanks,

Arie



C2 VodafoneZiggo Internal
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

[BlueOnyx:26501] Re: [EXTERNAL] Re: Error when deleting VSite

2023-09-23 Thread Ceelie, Arie (VodafoneZiggo) via Blueonyx 
Hi Michael,

tried that. Site and group site1 still exists. Var/log/messages says
Sep 23 13:43:39 www cced(smd)[75627]: client [0:75614] has admin rights
Sep 23 13:43:39 www cced(smd)[75627]: client 0:[0:75614]: AUTHKEY to user "" 
failed
Sep 23 13:43:39 www cced(smd)[75627]: client 0:[0:75614]: DESTROY  60
Sep 23 13:43:39 www cced(smd)[75627]: -- handler returned 1
Sep 23 13:43:39 www cced(smd)[75627]: handler 
handlers/Compass/webapps/vsite_userdel.pl failed
Sep 23 13:43:39 www cced(smd)[75627]: client 0:[0:75614]: DESTROY failed

Any suggestions?

Thanks,

Arie




Identify the group name of the Vsite. It's something like "site22". Then
run this command:

/usr/sausalito/sbin/vsite_destroy.pl site22

That will delete Vsite "site22" and all data related to it - including
Users, DNS, SQL databases, Aliases and so on.



C2 VodafoneZiggo Internal
___
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx