Problem with SSL configuration

raibom · August 21, 2020, 5:28pm

Hello,

I have a problem with the SSL configuration.

My certificate is already installed and valid. It is the same that is installed on my server for my website, so I can guarantee that it is working correctly:

I chose the certificate on port 465:

But at the time of doing an email sending test I am not getting it.
The following logs appear:

2020-08-21 17:21:25 +0200 16 vps159681 SMTP-IN:00000000: << SSL: client hello, remote 151.80.130.233:59115, version TLS 1.3 (0304)
2020-08-21 17:21:25 +0200 16 vps159681 SMTP-IN:00000000: << SSL: client hello, remote 151.80.130.233:59115, session id 0df873a7f439f18032afb7c9e22a6efa4d91586d08309754077148c40897d063
2020-08-21 17:21:25 +0200 16 vps159681 SMTP-IN:00000000: << SSL: client hello, remote 151.80.130.233:59115, 75 cipher suites: 130213031301c02fc02bc030c02c009e00a200a3009fc027c023c013c009c028c024c014c00a006700330040006b00380039009c009dc0aec0acc0a2c09e0032c0a0c09c003c002fc0afc0adc0a3c09f006ac0a1c09d003d0035cca9cca8ccaac05dc061c057c053c05cc060c056c052c073c07700c400c3c072c07600be00bd0088008700450044c051c05000c000ba0084004100ff
2020-08-21 17:21:25 +0200 16 vps159681 SMTP-IN:00000000: << SSL: client hello, remote 151.80.130.233:59115, sni extension for mail.ninjascalper.net
2020-08-21 17:21:25 +0200 16 vps159681 SMTP-IN:00000000: >> SSL: server hello, remote 151.80.130.233:59115, version TLS 1.2 (0303)
2020-08-21 17:21:25 +0200 16 vps159681 SMTP-IN:00000000: >> SSL: server hello, remote 151.80.130.233:59115, cipher suite c02f
2020-08-21 17:21:25 +0200 16 vps159681 SMTP-IN:00000000: >> SSL: server write cert, remote 151.80.130.233:59115, version TLS 1.2 (0303)
2020-08-21 17:21:25 +0200 16 vps159681 SMTP-IN:00000000: >> SSL: server write cert, remote 151.80.130.233:59115, certificate 1: serial 60B32F8AFC1AADE55A80C5CC3A1A2D841599E5C5
2020-08-21 17:21:25 +0200 16 vps159681 SMTP-IN:00000000: >> SSL: server write cert, remote 151.80.130.233:59115, certificate 2: serial 0FEACE49D4C67C67
2020-08-21 17:21:27 +0200 02 vps159681 SMTP-IN:00000000: SSL alert remote 151.80.130.233:59115, undefined:fatal:certificate unknown
2020-08-21 17:21:27 +0200 02 vps159681 SERVER:00000000: SSL_accept error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
2020-08-21 17:21:39 +0200 08 vps159681 WEBADMIN:00009A04: previous line is repeated 4294967295 time.
2020-08-21 17:21:39 +0200 08 vps159681 WEBADMIN:00009A02: Session 0x93F0F5B7 associated with this connection

Am I doing something wrong? Is there a configuration missing?

Thanks

indreias · August 21, 2020, 7:08pm

Hello,

This is what is seen on your SMTP listener on port 465 >> ssl-checker

And this is what is reported by openssl client (see below).

Should be there anything else?

HTH,
Ioan

$ openssl s_client -connect mail.ninjascalper.net:465 -crlf
CONNECTED(00000004)
depth=1 C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
verify return:1
depth=0 O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
verify return:1
---
Certificate chain
 0 s:O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
   i:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
 1 s:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
   i:C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIErDCCA5SgAwIBAgIUYLMvivwareVagMXMOhothBWZ5cUwDQYJKoZIhvcNAQEL
BQAwgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQw
MgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MB4XDTIwMDgxNjE2NTgwMFoXDTM1MDgxMzE2NTgwMFowYjEZMBcGA1UEChMQQ2xv
dWRGbGFyZSwgSW5jLjEdMBsGA1UECxMUQ2xvdWRGbGFyZSBPcmlnaW4gQ0ExJjAk
BgNVBAMTHUNsb3VkRmxhcmUgT3JpZ2luIENlcnRpZmljYXRlMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt223WJ0F4fQeCEeW6z/Lr9osmalXjKaMqJNl
znzuA/xUUeP3KEm42sx4fbf5zCWIk/Vn1vhYMPx4In1VaTwi6kacwEagbsVKxTPE
CUvWOiJV71lyXayMgHA7AXdxadV3pGI4P07zYP5lOtC2Yw0ROkaiJceFauYaCI6R
lf6XEw/UXi0vELj3cTETnZi0z4rPbBs6ch27MdSDPfoELTkpeJesUZm0+yASDGzC
Ldhu0IOQoqCUNP3HtmhZ3mrVqs+Kjk/eBFKidPBur2uWRAuSlQxm/Gk/8OZ/jFcm
DVprGT7uWrmP6+Fbc3/nSrGI2WXWVecL3v5oyZtt2sqwVfKHjQIDAQABo4IBLjCC
ASowDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQFzrqeJMMFf93TVjVuolVUebtT/zAf
BgNVHSMEGDAWgBQk6FNXXXw0QIep65TbuuEWePwppDBABggrBgEFBQcBAQQ0MDIw
MAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLmNsb3VkZmxhcmUuY29tL29yaWdpbl9j
YTAvBgNVHREEKDAmghIqLm5pbmphc2NhbHBlci5uZXSCEG5pbmphc2NhbHBlci5u
ZXQwOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5jbG91ZGZsYXJlLmNvbS9v
cmlnaW5fY2EuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAluEf2FyIUS018DXogQu56
DjGJMZwqq/34ymd3BU5ts/QClb+vDINF3Goz2IDXns/Zcwg+0hLqlxqJsNDQtNs5
sNWNefrxinF/JFuQhg6E5W/s0WsGPftoWbxM8V9cEbxl2u7mzVC3JLxRYDAAFPqd
38PRwTroDZXShSRWiMsTaxX3rqx0bZV2/2YsgcYnmMJTCzBjuVhJ8gk5nCkEETw8
6XAdQT528SguMvKwp0nCbEHV6+7MjaWVU335Dpb48tE67J2dEjdyCUFv2yixHNKP
mBOmYKJgt708A1HgXyJSzfvuNAXLKqum/O5qm7/8BpD0zOk5BBfsQrkRxdqMh2J4
-----END CERTIFICATE-----
subject=O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate

issuer=C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2892 bytes and written 426 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: E465C55FEC084432F6C8E7DCC5A471D58CFC3E0581CAD3F891B72E6BE7058E58
    Session-ID-ctx:
    Master-Key: D768A77AECA984F7C78527B84368884A0F6C82EA9F4C20A1A83F3DD778947A0252749625FA320A5F65BACC6FF1101397
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - db c6 43 ab 27 a5 fe 88-52 e6 5b 75 c6 b1 b7 1a   ..C.'...R.[u....
    0010 - a8 8c 9c f9 77 38 1c 96-0b a8 12 68 47 92 e5 2f   ....w8.....hG../
    0020 - e2 03 fb d7 4c 6d 12 b8-0d 9b 6c 59 61 f5 c9 66   ....Lm....lYa..f
    0030 - f3 36 34 70 90 3e 12 4f-95 d9 94 1d 94 b0 ea 8f   .64p.>.O........
    0040 - ff c5 78 e5 9c d8 26 d4-4f 78 35 43 94 42 41 da   ..x...&.Ox5C.BA.
    0050 - 96 de 2e ad a2 1b f7 dd-67 bc 62 56 c3 24 ca eb   ........g.bV.$..
    0060 - fe 58 fa f3 05 08 bd 02-ce d3 e5 a4 a8 3c 04 e8   .X...........<..
    0070 - 91 49 0c 8d 1a c7 8a 19-1c 98 03 61 50 0f 9a 87   .I.........aP...
    0080 - f9 49 11 f2 41 e6 a5 8a-a1 e5 12 7a 61 c0 ab f1   .I..A......za...
    0090 - 4d 93 a7 8f b9 f6 c9 d4-c8 c8 08 02 28 60 e7 88   M...........(`..
    00a0 - cb 96 10 9c b3 d2 12 be-55 cf 1a 71 b1 06 a9 be   ........U..q....
    00b0 - 6e 3f f8 48 c3 39 f8 09-1e 5c a1 16 a5 85 0b 1f   n?.H.9...\......

    Start Time: 1598036577
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: yes
---
220 vps159681 Axigen ESMTP ready

raibom · August 22, 2020, 3:21am

For the researched here, there is no way to use this certificate by axigen.
Cloudflare does not allow proxy for MX record but requires proxy for SSL, as it has to go through his servers to be trusted.
So in this case I would have to use another certificate.
I tried to do the creation via LetsEncrypt, but it stays on this screen loading forever.

Logs:
2020-08-22 03:17:09 +0200 08 vps159681 WEBADMIN:00009C66: Let’s Encrypt: Issuance Job added successfully
2020-08-22 03:17:09 +0200 08 vps159681 WEBADMIN:00009C66: LetsE: Found current request
2020-08-22 03:17:10 +0200 08 vps159681 JOBLOG:70000031: LetsE: Acme job executing
2020-08-22 03:17:10 +0200 08 vps159681 JOBLOG:70000031: LetsE: Found current request
2020-08-22 03:17:10 +0200 08 vps159681 JOBLOG:70000031: LetsE: AcmeInitState for ninjascalper.net executing
2020-08-22 03:17:10 +0200 08 vps159681 WEBADMIN:00009C66: LetsE: Found current request
2020-08-22 03:17:10 +0200 02 vps159681 JOBLOG:70000031: HTTP-Client: Error performing request in connection to https://acme-v02.api.letsencrypt.org:443/directory:SSL peer certificate or SSH remote key was not OK
2020-08-22 03:17:10 +0200 02 vps159681 JOBLOG:70000031: LetsE: connection error on GET when populating acme link directory
2020-08-22 03:17:10 +0200 02 vps159681 JOBLOG:70000031: LetsE: Job step action => Connection-related error, re-attempting after 15 seconds

raibom · August 23, 2020, 4:37pm

Hello,

I managed to solve the problem by generating the letsencrypt certificate outside the axigen and then importing into it (https://www.sslshopper.com/ssl-checker.html#hostname=mail.ninjascalper.net:465).
Now I can send and receive emails with SSL normally.

The problem is that it is going to the spam box.

Is there any way to resolve this? It is already certified, dmarc and spf configured.

indreias · August 31, 2020, 9:01pm

Hello,

Beside setting the SPF are you signing your messages (details here?

HTH,
Ioan

raibom · September 1, 2020, 10:17pm

I believe that only this is missing.

About this first command: “cd/var/opt/axigen …”

In my case I am using windows server. Should the path be the axigen folder (C: \ Axigen Mail Server)?