SSL/TLS Option Breaks My SMTP Notifications

ghostshell

Using http://www.checktls.com/ it seems to show the cert is validated and OK and was able to use TLS 1.2 successfully for the connection.

Master.cf

smtp      inet  n      -      n      -      -      smtpd -v

submission inet n      -      n      -      -      smtpd -v
  -o smtpd_tls_security_level=encrypt
#  -o smtpd_tls_security_level=may
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps    inet  n      -      n      -      -      smtpd -v
  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

Using 25 or 465 with no SSL/TLS or STARTTLS option checked works

NOYB

It doesn't matter what any thing else thinks of the cert.  pfSense has to trust it.

ghostshell

@NOYB:

It doesn't matter what any thing else thinks of the cert.  pfSense has to trust it.

Ok, then how will I know as the cert and postfix settings have not changed since my last alert email, i see nothing in the logs showing cert issues with pfsense 192.168.1.1

pfsense logs show this error over and over

php-fpm /system_advanced_notifications.php: Could not send the message to gmail.com – Error: could not start TLS connection encryption protocol

NOYB

The two places I know of for the CA to be located in pfSense are:

1. System / Certificate Manager / CAs
2. /usr/local/share/certs/ca-root-nss.crt

This is not to say there couldn't be some other location.  These are just the two I'm aware of.
I am also not sure in which of the locations it is required to be for notifications.  Mine is in both.  But I'm thinking it probably has to be in ca-root-nss.crt.

dennypage

Did you have to hand edit ca-root-nss.crt to add the CA?

@NOYB:

The two places I know of for the CA to be located in pfSense are:

1. System / Certificate Manager / CAs
2. /usr/local/share/certs/ca-root-nss.crt

This is not to say there couldn't be some other location.  These are just the two I'm aware of.
I am also not sure in which of the locations it is required to be for notifications.  Mine is in both.  But I'm thinking it probably has to be in ca-root-nss.crt.

NOYB

Yes, I just added it below all the other CA's and incremented the number of certificates.

Mine is a self signed, so I have to added it.  I wish PHP curl could use it from the one that is in config (System / Certificate Manager / CAs) so it would survive upgrades and I wouldn't have to remember to add it to the file.

Here are the results of notification test message with and without and with my CA added to the ca-root-nss.crt file.

Aug 2 23:47:48  php-fpm  42511  /system_advanced_notifications.php: Message sent to xxx@yyy.com OK  
Aug 2 23:47:06  php-fpm  11699  /system_advanced_notifications.php: Could not send the message to xxx@yyy.com -- Error: could not start TLS connection encryption protocol  

NOYB

According to a kdiff comparison it appears this certificate was present in 2.3 but is absent in 2.3.2.  If that is the CA for your cert then that would likely be why it quit working.

/usr/local/share/certs/ca-root-nss.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 36 (0x24)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FI, O=Sonera, CN=Sonera Class1 CA
        Validity
            Not Before: Apr  6 10:49:13 2001 GMT
            Not After : Apr  6 10:49:13 2021 GMT
        Subject: C=FI, O=Sonera, CN=Sonera Class1 CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b5:89:1f:2b:4f:67:0a:79:ff:c5:1e:f8:7f:3c:
                    ed:d1:7e:da:b0:cd:6d:2f:36:ac:34:c6:db:d9:64:
                    17:08:63:30:33:22:8a:4c:ee:8e:bb:0f:0d:42:55:
                    c9:9d:2e:a5:ef:f7:a7:8c:c3:ab:b9:97:cb:8e:ef:
                    3f:15:67:a8:82:72:63:53:0f:41:8c:7d:10:95:24:
                    a1:5a:a5:06:fa:92:57:9d:fa:a5:01:f2:75:e9:1f:
                    bc:56:26:52:4e:78:19:65:58:55:03:58:c0:14:ae:
                    8c:7c:55:5f:70:5b:77:23:06:36:97:f3:24:b5:9a:
                    46:95:e4:df:0d:0b:05:45:e5:d1:f2:1d:82:bb:c6:
                    13:e0:fe:aa:7a:fd:69:30:94:f3:d2:45:85:fc:f2:
                    32:5b:32:de:e8:6c:5d:1f:cb:a4:22:74:b0:80:8e:
                    5d:94:f7:06:00:4b:a9:d4:5e:2e:35:50:09:f3:80:
                    97:f4:0c:17:ae:39:d8:5f:cd:33:c1:1c:ca:89:c2:
                    22:f7:45:12:ed:5e:12:93:9d:63:ab:82:2e:b9:eb:
                    42:41:44:cb:4a:1a:00:82:0d:9e:f9:8b:57:3e:4c:
                    c7:17:ed:2c:8b:72:33:5f:72:7a:38:56:d5:e6:d9:
                    ae:05:1a:1d:75:45:b1:cb:a5:25:1c:12:57:36:fd:
                    22:37
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                47:E2:0C:8B:F6:53:88:52
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
    Signature Algorithm: sha1WithRSAEncryption
         8b:1a:b2:c9:5d:61:b4:e1:b9:2b:b9:53:d1:b2:85:9d:77:8e:
         16:ee:11:3d:db:c2:63:d9:5b:97:65:fb:12:67:d8:2a:5c:b6:
         ab:e5:5e:c3:b7:16:2f:c8:e8:ab:1d:8a:fd:ab:1a:7c:d5:5f:
         63:cf:dc:b0:dd:77:b9:a8:e6:d2:22:38:87:07:14:d9:ff:be:
         56:b5:fd:07:0e:3c:55:ca:16:cc:a7:a6:77:37:fb:db:5c:1f:
         4e:59:06:87:a3:03:43:f5:16:ab:b7:84:bd:4e:ef:9f:31:37:
         f0:46:f1:40:b6:d1:0c:a5:64:f8:63:5e:21:db:55:4e:4f:31:
         76:9c:10:61:8e:b6:53:3a:a3:11:be:af:6d:7c:1e:bd:ae:2d:
         e2:0c:69:c7:85:53:68:a2:61:ba:c5:3e:b4:79:54:78:9e:0a:
         c7:02:be:62:d1:11:82:4b:65:2f:91:5a:c2:a8:87:b1:56:68:
         94:79:f9:25:f7:c1:d5:ae:1a:b8:bb:3d:8f:a9:8a:38:15:f7:
         73:d0:5a:60:d1:80:b0:f0:dc:d5:50:cd:4e:ee:92:48:69:ed:
         b2:23:1e:30:cc:c8:94:c8:b6:f5:3b:86:7f:3f:a6:2e:9f:f6:
         3e:2c:b5:92:96:3e:df:2c:93:8a:ff:81:8c:0f:0f:59:21:19:
         57:bd:55:9a
SHA1 Fingerprint=07:47:22:01:99:CE:74:B9:7C:B0:3D:79:B2:64:A2:C8:55:E9:33:FF
-----BEGIN CERTIFICATE-----
MIIDIDCCAgigAwIBAgIBJDANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP
MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MxIENBMB4XDTAx
MDQwNjEwNDkxM1oXDTIxMDQwNjEwNDkxM1owOTELMAkGA1UEBhMCRkkxDzANBgNV
BAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJhIENsYXNzMSBDQTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALWJHytPZwp5/8Ue+H887dF+2rDNbS82rDTG
29lkFwhjMDMiikzujrsPDUJVyZ0upe/3p4zDq7mXy47vPxVnqIJyY1MPQYx9EJUk
oVqlBvqSV536pQHydekfvFYmUk54GWVYVQNYwBSujHxVX3BbdyMGNpfzJLWaRpXk
3w0LBUXl0fIdgrvGE+D+qnr9aTCU89JFhfzyMlsy3uhsXR/LpCJ0sICOXZT3BgBL
qdReLjVQCfOAl/QMF6452F/NM8EcyonCIvdFEu1eEpOdY6uCLrnrQkFEy0oaAIIN
nvmLVz5MxxftLItyM19yejhW1ebZrgUaHXVFsculJRwSVzb9IjcCAwEAAaMzMDEw
DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQIR+IMi/ZTiFIwCwYDVR0PBAQDAgEG
MA0GCSqGSIb3DQEBBQUAA4IBAQCLGrLJXWG04bkruVPRsoWdd44W7hE928Jj2VuX
ZfsSZ9gqXLar5V7DtxYvyOirHYr9qxp81V9jz9yw3Xe5qObSIjiHBxTZ/75Wtf0H
DjxVyhbMp6Z3N/vbXB9OWQaHowND9Rart4S9Tu+fMTfwRvFAttEMpWT4Y14h21VO
TzF2nBBhjrZTOqMRvq9tfB69ri3iDGnHhVNoomG6xT60eVR4ngrHAr5i0RGCS2Uv
kVrCqIexVmiUefkl98HVrhq4uz2PqYo4Ffdz0Fpg0YCw8NzVUM1O7pJIae2yIx4w
zMiUyLb1O4Z/P6Yun/Y+LLWSlj7fLJOK/4GMDw9ZIRlXvVWa
-----END CERTIFICATE-----

ghostshell

Great! Thank you all for your help! I will add the CA for the current cert from the mailserver and post if the issue is resolved.

@NOYB - another thing I noticed that the standard web interface cert is shown as OK in firefox while chrome throws the caution error, any way to correct this as I have not had any luck getting a cert for just the IP anymore, used to but have not be able to recently. Alt would be to use the domain name, but I find the IP more reliable.

dennypage

@NOYB:

Yes, I just added it below all the other CA's and incremented the number of certificates.

Mine is a self signed, so I have to added it.  I wish PHP curl could use it from the one that is in config (System / Certificate Manager / CAs) so it would survive upgrades and I wouldn't have to remember to add it to the file.

Here are the results of notification test message without and with my CA added to the ca-root-nss.crt file.

Aug 2 23:47:48  php-fpm  42511  /system_advanced_notifications.php: Message sent to xxx@yyy.com OK  
Aug 2 23:47:06  php-fpm  11699  /system_advanced_notifications.php: Could not send the message to xxx@yyy.com -- Error: could not start TLS connection encryption protocol  

Thanks NOYB, this was very useful information for me.

NOYB

@ghostshell:

@NOYB - another thing I noticed that the standard web interface cert is shown as OK in firefox while chrome throws the caution error, any way to correct this as I have not had any luck getting a cert for just the IP anymore, used to but have not be able to recently. Alt would be to use the domain name, but I find the IP more reliable.

I imported my own self-signed cert and the CA for it  (System / Certificate Manager / …).  Then configured Admin Access to use that cert for SSL and installed the CA in my browsers trusted roots.

dennypage

I filed a ticket for this issue:

https://redmine.pfsense.org/issues/6687

NOYB

@dennypage:

I filed a ticket for this issue:

https://redmine.pfsense.org/issues/6687

Thank you.  Sure hope someone can fix that.  Sure would be a big help.