SMTP issues - tlsv1 alert unknown ca:

Ghost

Hello guys!

I hope to find some information in here, as I’m honestly lost and close to giving up on Mailcow all together.
I don’t really know which category to use as well, so putting it here.I’m trying to install Mailcow on Ubuntu 22.04LTS.
So, I have installed everything according to documentation, then followed up to setting up advanced SSL (I have my own certificate that i installed on it).

I copied the files(the certificates are tested and are known to be good), didn’t use symlinks. I disabled Let’s encrypt by configuring option SKIP_LETS_ENCRYPT=y in mailcow.conf.

The certificates are working well, I have proper https, but I cannot use SMTP. All i see in the gui logs is:

I made sure to import the CA to the trusted store on the machine, and just did so manually by command:
docker exec -it mailcowdockerized-postfix-mailcow-1 echo /usr/local/share/ca-certificates/selfsignCA.crt >> /etc/ca-certificates.conf

For some reason it doesn’t work via my Dockerfile, which I put here:

FROM debian:bullseye-slim
LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"

ARG DEBIAN_FRONTEND=noninteractive
ENV LC_ALL C

RUN dpkg-divert --local --rename --add /sbin/initctl \
        && ln -sf /bin/true /sbin/initctl \
        && dpkg-divert --local --rename --add /usr/bin/ischroot \
        && ln -sf /bin/true /usr/bin/ischroot

# Add groups and users before installing Postfix to not break compatibility
RUN groupadd -g 102 postfix \
  && groupadd -g 103 postdrop \
  && useradd -g postfix -u 101 -d /var/spool/postfix -s /usr/sbin/nologin postfix \
  && apt-get update && apt-get install -y --no-install-recommends \
        ca-certificates \
        curl \
        dirmngr \
        dnsutils \
        gnupg \
        libsasl2-modules \
        mariadb-client \
        perl \
        postfix \
        postfix-mysql \
        postfix-pcre \
        redis-tools \
        sasl2-bin \
        sudo \
        supervisor \
        syslog-ng \
        syslog-ng-core \
        syslog-ng-mod-redis \
        tzdata \
        && rm -rf /var/lib/apt/lists/* \
        && touch /etc/default/locale \
  && printf '#!/bin/bash\n/usr/sbin/postconf -c /opt/postfix/conf "$@"' > /usr/local/sbin/postconf \
  && chmod +x /usr/local/sbin/postconf

COPY supervisord.conf /etc/supervisor/supervisord.conf
COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf
COPY postfix.sh /opt/postfix.sh
COPY rspamd-pipe-ham /usr/local/bin/rspamd-pipe-ham
COPY rspamd-pipe-spam /usr/local/bin/rspamd-pipe-spam
COPY whitelist_forwardinghosts.sh /usr/local/bin/whitelist_forwardinghosts.sh
COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
COPY docker-entrypoint.sh /docker-entrypoint.sh
COPY selfsignCA.crt /usr/local/share/ca-certificates/selfsignCA.crt

RUN chmod +x /opt/postfix.sh \
  /usr/local/bin/rspamd-pipe-ham \
  /usr/local/bin/rspamd-pipe-spam \
  /usr/local/bin/whitelist_forwardinghosts.sh \
  /usr/local/sbin/stop-supervisor.sh
RUN rm -rf /tmp/* /var/tmp/*

EXPOSE 588

ENTRYPOINT ["/docker-entrypoint.sh"]

RUN echo selfsignCA.crt >> /etc/ca-certificates.conf
RUN update-ca-certificates

CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf

On the service I’m trying to use the SMTP on, I have following:

I’m seriously at a loss here. I don’t know what else might be useful, but I will happily provide all the information ASAP as I see some is needed.

EDIT:code formatting

esackbauer

Are you sure you really followed the documentation?

To use your own certificates, just save the combined certificate (containing the certificate and intermediate CA/CA if any) to data/assets/ssl/cert.pem and the corresponding key to data/assets/ssl/key.pem

is your certificate containing the full chain? No need to fiddle around with CA certs…

Ghost

Yep! What is interesting is that I tried both with a reverse proxy and setting it up on the mailcow itself(that is what I do prefer and trying to do)

Since I generated the keys originally in crt format, I first converted them to pem(both the wildcard and the CA):

openssl x509 -in mycert.crt -out mycert.pem -outform PEM
openssl rsa -in mycert.key -text > mycert.key.pem

then simply catted them
cat mycert.pem ca.pem > fullchain.pem
then imported it to the machine with the private key in pem format, restarted the containers, and I’m back to the exit point.

esackbauer

mailcow/mailcow-dockerized3899

Ghost

I didn’t have any folder under that path matching my domain; I created one, copied the files, restarted the containers, still the same issue :/

esackbauer

I don’t know whats happening here. Which port are you connecting to? Inbound connection I guess?
What function has 192.168.50.61?
Why did you modify the dockerfile??

Ghost

192.168.50.61 is my Passbolt instance that I’m trying to hook up with Mailcow for its SMTP.
I am connecting to port 587 with TLS on.
I modified the dockerfile thinking the CA needs to be stored in the trusted store inside the container, but not I know I was wrong.

Passbolt is on the same network as Mailcow. It’s a local connection.

esackbauer

Ghost Use the default port 25. And STARTTLS if you must.
Why you are using 587? That is for clients only (that have a mailbox)

And whitelist that server on System > Configuration > Options > Forwarding Hosts

Ghost

Oh, it works on port 25 without TLS. Thanks for that!

I’ve done some serious internet digging, and while I can’t give you a link, it was written somewhere as an answer.
Still, any idea about TLS? I don’t think it’s a good idea to send mails without TLS, even if only on local network.

esackbauer

Tell Passbolt to use STARTTLS. Remember connections on port 25 and 587 must always be unencrypted for the TCP connection itself! But you can enforce encryption then by STARTTLS, which will encrypt anything coming after it.
Alternatively you could try a TLS connection to port 465
https://docs.mailcow.email/prerequisite/prerequisite-system/?h=465#default-ports

Ghost

I don’t have any options in Passbolt itself; it’s either TLS on or not. That’s what I get alongside the previously mentioned error with unknown CA(on the Passbolt side):

Also I looked at the link you sent me, and when defining SMTPS_PORT=127.0.0.1:465 in mailcow.conf and rebuilding the containers I get a timeout on port 465.

Linux firewall accepts connection on 465 and I am not blocked by any external firewall.

esackbauer

Why did you add the localhost address??? it says “you should leave this alone” in the config file…
put only 465 in:
SMTPS_PORT=465

Ghost

Well that’s how it was before.
From the link you’ve sent: SMTP_PORT=1.2.3.4:25
SMTP by default equals SMTP=25
I think it’s quite logic to add it when something tells you that
To bind a service to an IP address, you can prepend the IP like this: SMTP_PORT=1.2.3.4:25
😅

esackbauer

Old saying: If its not broken, then dont fix it, and don’t change settings you do not fully understand 😉
The SMTP ports are fine in the default. No need to tinker around with it unless you have multiple IP addresses and want just a specific to listen.
if you bind something to 127.0.0.1 you should know the consequences…

Ghost

True with the saying - would apply it if 465 didn’t have a timeout with the base configuration still😓

EDIT:

esackbauer

To which port did you do the connection? Seems your Passbolt is trying insecure SSL3 connection instead of TLS 1.2

Ghost

Port 465 as instructed 🙂

esackbauer

Then ditch Passbolt and use Bitwarden 😉

Ghost

esackbauer Oh I’d love to, but sadly Bitwarden on prem completely sucks for what I want to do. I will hit Passbolt support with the query, though. Thank you so much for the help!

esackbauer

Why does it suck? Vaultwarden has all the paid features for free (sharing passwords in teams etc)