Notification via own mail server - TLS library problem

bamf · February 1, 2023, 1:20pm

Hi,

I have set up a local mail server with Power Mail-in-a-Box. Sending mails via other applications works.

But when I setup my server in the ReForis notification settings, it throws an error:

Feb 01 14:05:06 mail postfix/submission/smtpd[270373]: SSL_accept error from mox.home.arpa[192.168.100.18]: -1
Feb 01 14:05:06 mail postfix/submission/smtpd[270373]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:308:
Feb 01 14:05:06 mail postfix/submission/smtpd[270373]: lost connection after CONNECT from mox.home.arpa[192.168.100.18]
Feb 01 14:05:06 mail postfix/submission/smtpd[270373]: disconnect from mox.home.arpa[192.168.100.18] commands=0/0

Any ideas why this happens?

milkandhoney · February 1, 2023, 9:26pm

What does your cat /etc/config/user_notify say?

But don’t show us your SMTP password here.

bamf · February 1, 2023, 9:48pm

config smtp 'smtp'
        option sender_name 'turris'
        option enable '1'
        option use_turris_smtp '0'
        option from 'admin@XXX.de'
        option server '192.168.100.160'
        option username 'admin@XXX.de'
        option password 'XXX'
        option port '465'
        option security 'ssl'
        list to 'XXX@posteo.de'

Also tried 465/STARTSSL, 587/SSL and 587/STARTTLS. I always get:

warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:308:

fantomas · February 2, 2023, 12:18pm

that looks like turris client did not accept your servers’ SSL certificate. Is that from known certificate authority?
Does it contain IP4:192.168.100.160 within SubjectAlternativeName?

bamf · February 2, 2023, 12:59pm

No, it does not. How to tell the Turris client to ignore SSL errors?

fantomas · February 3, 2023, 2:05pm

/usr/bin/notifier calls msmtp which supports option tls_certcheck

perhaps putting this line at the end of /etc/msmtprc would help:

tls_certcheck off

bamf · February 3, 2023, 2:20pm

This file seems to be a pure example file without any configuration:

root@mox:~# cat /etc/msmtprc
# Example for a system wide configuration file

# A system wide configuration file is optional.
# If it exists, it usually defines a default account.
# This allows msmtp to be used like /usr/sbin/sendmail.
account default

# The SMTP smarthost
host mail.oursite.example

# Use TLS on port 465
port 465
tls on
tls_starttls off

# Construct envelope-from addresses of the form "user@oursite.example"
from %U@oursite.example

# Syslog logging with facility LOG_MAIL instead of the default LOG_USER
syslog LOG_MAIL

Adding tls_certcheck off here does not fix the problem.

fantomas · February 4, 2023, 3:59pm

Sorry I see now: /usr/bin/notifier sets explicitly “tls_certcheck on” in functions get_turris_smtp_settings and get_user_server_settings

it’s possible to disable TLS in it tho, so if you can enable unauthenticated mail on your mailserver from router, you can disable tls and go without TLS and without authentication.

Big_boss · February 4, 2023, 4:21pm

Why not request a Lets Encrypt certificate? Instead of tinkering about the SSL not accepting it, grab a Lets Encrypt certificate, use a DNS server on your network to give them the right names and see if everything works at least. Then later on go and investigate if you want to disable the SSL certificates etc.

fantomas · February 4, 2023, 7:24pm

I’m sure nobody will issue certificatre for machine without DNS name.

Big_boss · February 4, 2023, 7:26pm

I love free stuff especially if it is GOOD quality :P. And yes i have a Lets Encrypt certificate with duckdns subdomeins included.