Re: letsencrypt and SSL alert number 80

2022-12-12 Thread Viktor Dukhovni 
On Mon, Dec 12, 2022 at 01:27:59PM -0500, Alex wrote:

> Dec 12 13:12:47 xavier postfix-116/smtpd[1683671]: warning: TLS library
> problem: error:0A000438:SSL routines::tlsv1 alert internal
> error:ssl/record/rec_layer_s3.c:1584:SSL alert number 80:

Some remote client encountered an internal (to it) error and decided to
politely abandon the TLS handshake by announcing this fact, rather than
just drop the connection.  Newsflash: something's broken on the Internet!
No, wait, perhaps that's not news...

> smtp_tls_cert_file=/etc/letsencrypt/fullchain.pem
> smtp_tls_key_file=/etc/letsencrypt/privkey.pem

You probably don't need these.

> smtp_tls_exclude_ciphers   = MD5, RC4, 3DES, IDEA, SEED, aNULL
> smtpd_tls_exclude_ciphers   = MD5, RC4, 3DES, IDEA, SEED, aNULL

And don't need to exclude aNULL for either the server or the client.

> smtpd_tls_session_cache_database = 
> btree:${data_directory}/smtpd_tls_session_cache

And don't need this either, because session tickets work better.

-- 
Viktor.

Re: letsencrypt and SSL alert number 80

2022-12-12 Thread Gerald Galster 
> I'm seeing periodic entries like this in my maillog:
> 
> Dec 12 13:12:47 xavier postfix-116/smtpd[1683671]: warning: TLS library 
> problem: error:0A000438:SSL routines::tlsv1 alert internal 
> error:ssl/record/rec_layer_s3.c:1584:SSL alert number 80:

[...]

> smtp_tls_cert_file=/etc/letsencrypt/fullchain.pem
> smtp_tls_key_file=/etc/letsencrypt/privkey.pem

usually there is no need for client certificates when sending emails.

> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_tls_exclude_ciphers   = MD5, RC4, 3DES, IDEA, SEED, aNULL
> smtpd_tls_security_level = may
> smtpd_tls_exclude_ciphers   = MD5, RC4, 3DES, IDEA, SEED, aNULL
> tls_preempt_cipherlist  = yes
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/letsencrypt/fullchain.pem
> smtpd_tls_key_file = /etc/letsencrypt/privkey.pem

Are you sure cert/key_file path is correct?

Those filenames look like they are generated by certbot, wich places files
(softlinks) in 
/etc/letsencrypt/live//{fullchain.pem,privkey.pem,...},
not in /etc/letsenrypt/{fullchain.pem,...} on my server.

Did you check if the certificate is valid?
openssl x509 -text < /etc/letsencrypt/cert.pem
openssl x509 -text < /etc/letsencrypt/live//cert.pem

// cert.pem contains your public certificate only whereas fullchain.pem
// additionally contains letsencrypt's intermediate certificate.
// For verification try cert.pem for smtpd_tls_cert_file use fullchain.pem

Best regards
Gerald