Postal: Can't use Let's Encrypt certificate for SMTP server.

Created on 22 Sep 2018  路  12Comments  路  Source: postalhq/postal

I'm using Let's Encrypt's SSL. Website is working fine with HTTPS. But If I try to use those certificates in SMTP server I'm getting this error. When I test SMTP settings with postal test-app-smtp [email protected] it gives following:

Error: OpenSSL::SSL::SSLError (SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A)

or

Error: Errno::ECONNRESET (Connection reset by peer - SSL_connect)

Here is related config from postal.yml

smtp_server:
  port: 2525
  tls_enabled: true
  tls_certificate_path: /etc/letsencrypt/live/postal.mydomain.com/fullchain.pem # I used chown -R postal:postal /etc/letsencrypt/live/postal.mydomain.com to ensure permission
  tls_private_key_path: /etc/letsencrypt/live/postal.mydomain.com/privkey.pem
  proxy_protocol: false
  log_connect: true
  strip_received_headers: false

If I disable tls, email is sending fine. But that means emails are sending in plain text right?
I've googled a lot and tried to add these lines into SMTP settings.

  tls_ciphers:
  ssl_version: TLSv1

Also tried to change tls_ciphers, ssl_version into many different combinations no luck. I assume postal is not recognizing the value of ssl_version.

Most helpful comment

Ok, got it working! Full details coming soon.

Edit: Solution

First I noticed Let's Encrypt's generated certificates require root permission to access and had to

chown -R postal:postal /etc/letsencrypt/live/postal.mydomain.com

But this wasn't enough, /etc/letsencrypt/live/postal.mydomain.com is actually symlink of /etc/letsencrypt/archive and you have to

chown -R postal:postal /etc/letsencrypt/archive

folder too. But apparently it didn't work for me (I guess lol.. forgot it was enough or not). I ended up using

chown -R postal:postal /etc/letsencrypt

entire letsencrypt folder. It worked for me. I wasted long enough time googling on error

Error: OpenSSL::SSL::SSLError (SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A)

After you configure your letsencrypt certificate in postal.yml You will encounter another error:

Error: OpenSSL::SSL::SSLError (hostname "127.0.0.1" does not match the server certificate)

You have to change:

smtp:
  # Specify an SMTP server that can be used to send messages from the Postal management
  # system to users. You can configure this to use a Postal mail server once the
  # your installation has been set up.
  host: 127.0.0.1 to -> your postal address like postal.domain.com to get certificate working.
  ...

All 12 comments

Ok, got it working! Full details coming soon.

Edit: Solution

First I noticed Let's Encrypt's generated certificates require root permission to access and had to

chown -R postal:postal /etc/letsencrypt/live/postal.mydomain.com

But this wasn't enough, /etc/letsencrypt/live/postal.mydomain.com is actually symlink of /etc/letsencrypt/archive and you have to

chown -R postal:postal /etc/letsencrypt/archive

folder too. But apparently it didn't work for me (I guess lol.. forgot it was enough or not). I ended up using

chown -R postal:postal /etc/letsencrypt

entire letsencrypt folder. It worked for me. I wasted long enough time googling on error

Error: OpenSSL::SSL::SSLError (SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A)

After you configure your letsencrypt certificate in postal.yml You will encounter another error:

Error: OpenSSL::SSL::SSLError (hostname "127.0.0.1" does not match the server certificate)

You have to change:

smtp:
  # Specify an SMTP server that can be used to send messages from the Postal management
  # system to users. You can configure this to use a Postal mail server once the
  # your installation has been set up.
  host: 127.0.0.1 to -> your postal address like postal.domain.com to get certificate working.
  ...

Good spot, glad you figured it out.

Its very easy to accidentally remove the /etc/letsencrypt folder so we keep a backup copy at /organisation/letsencrypt and reference that from the config which works and bypasses the permission issue.

I'm not sure how well the permission change you have made will work when the certificates get renewed in a few months but you'll probably get emailed if the renew fails and can fix it in time.

Oh yea, I also wonder what will happen when certificates renews. Preferred way to implement this is maybe make copy of it and use it, but making a copy and automating it was another job to do..

For your reference, it is a matter of amending the /etc/cron.d/certbot file to copy the updated folder to your location of choice.

Ok, got it working! Full details coming soon.

Edit: Solution

First I noticed Let's Encrypt's generated certificates require root permission to access and had to

chown -R postal:postal /etc/letsencrypt/live/postal.mydomain.com

But this wasn't enough, /etc/letsencrypt/live/postal.mydomain.com is actually symlink of /etc/letsencrypt/archive and you have to

chown -R postal:postal /etc/letsencrypt/archive

folder too. But apparently it didn't work for me (I guess lol.. forgot it was enough or not). I ended up using

chown -R postal:postal /etc/letsencrypt

entire letsencrypt folder. It worked for me. I wasted long enough time googling on error

Error: OpenSSL::SSL::SSLError (SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A)

After you configure your letsencrypt certificate in postal.yml You will encounter another error:

Error: OpenSSL::SSL::SSLError (hostname "127.0.0.1" does not match the server certificate)

You have to change:

smtp:
  # Specify an SMTP server that can be used to send messages from the Postal management
  # system to users. You can configure this to use a Postal mail server once the
  # your installation has been set up.
  host: 127.0.0.1 to -> your postal address like postal.domain.com to get certificate working.
  ...

i faced the same issue how have you manage to fix the
Error: OpenSSL::SSL::SSLError (SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A)

I've successfully done the postal website of the house with LE. How do we deal with the fast_server? Nginx is not listening to second IP so I'm good there. I'm just lost because it is domain specific and I haven't found anything on this yet. Any help would be greatly appreciated.

Fast server is not related to nginx. Fast server issues Let's Encrypt certificate for its own usage on its own.

thanks, no I get that part. But if you look at the code section they have an example where you put in the LE path for the fast server.when I look at the log I see:
# Logfile created on 2019-09-17 22:57:48 -0400 by logger.rb/56438 [6664] [2019-09-17T22:57:48.535] INFO -- : Successfully registered private key with address XXXXXX [worker.12:6242] [2019-09-17T23:00:01.124] INFO -- : Attempting verification of XXXXXXX.com [worker.12:6242] [2019-09-17T23:00:03.631] INFO -- : Status was not valid (was: invalid) [worker.12:6242] [2019-09-17T23:00:04.763] INFO -- : Attempting verification of track.XXXXXXX.com [worker.12:6242] [2019-09-17T23:00:06.508] INFO -- : Status was not valid (was: invalid) [worker.8:3386] [2019-09-18T23:15:01.337] INFO -- : Attempting verification of track.XXXXXXX.com [worker.8:3386] [2019-09-18T23:15:02.596] INFO -- : Status was not valid (was: invalid) [worker.8:3386] [2019-09-18T23:15:03.734] INFO -- : Attempting verification of track.XXXXXXX.com [worker.8:3386] [2019-09-18T23:15:05.294] INFO -- : Status was not valid (was: invalid) [4990] [2019-09-18T23:40:56.584] INFO -- : Attempting verification of track.XXXXXXX.com [4990] [2019-09-18T23:40:58.167] INFO -- : Status was not valid (was: invalid) [4990] [2019-09-18T23:40:58.667] INFO -- : Attempting verification of track.XXXXXXX.com [4990] [2019-09-18T23:41:00.052] INFO -- : Status was not valid (was: invalid) root@vps258001:/opt/postal/log#
example code is:
fast_server: enabled: false bind_address: # Set appropriate IP addresses to listen on. These should be dedicated IP # addresses just used for this server. You should list IPv4 and IPv6 addresses # as appropriate. # - 1.2.3.4 # - abcd:a:b:c:d::1 port: 80 ssl_port: 443 proxy_protocol: false default_private_key_path: # Defaults to config/fast_server.key default_tls_certificate_path: # Defaults to config/fast_server.cert

above is located: postal/config/postal.defaults.yml

dns is valid, just fyi

@sergioloera If you do not have a dedicated IP for fast_server please consider reading this #321 for sample config. This is the necessary section of your main postal.yml:

fast_server:
  enabled: true
  bind_address: YOUR_INTERNAL_IP_HERE
    # Set appropriate IP addresses to listen on. These should be dedicated IP
    # addresses just used for this server. You should list IPv4 and IPv6 addresses
    # as appropriate.
    # - 1.2.3.4
    # - abcd:a:b:c:d::1
  ssl_port: 443
  default_private_key_path: # Defaults to config/fast_server.key
  default_tls_certificate_path: # Defaults to config/fast_server.cert

@igerzog thanks but that's not what I was asking. I do have the second dedicated IP and ports open and nginx not listening to it. I was more confused about setting the "Defaults to config/fast_server.key/cert".

For those that over think it, like I did. You don't need it. Stick to the basics lol here's what worked for me
fast_server:
enabled: true
bind_address: YOUR_SECOND_IP

then you'll want to make sure to stop postal (not restart) and then start again. Once I did that just delete the tracking domain you setup and recreate it. SSL/LE will provision.

Ok, I see 馃槉 So the default paths should be changed to LE if it is necessary to handle fast_server.cert regular updates for some purposes.

Sorry for continuing to resurrect this old thread, I believe setting the default certificate effectively allows you to give a valid certificate for the base tracking domain (i.e. track.postal.yourorganisation.com) but I can't think of many benefits for doing so.

Postal uses Lets Encrypt to cover all the endpoints specified in the UI so the base one is accessible but not actually going to do anything other than hello.

Presumably you could apply a certificate if you wanted to monitor your fast server externally with web requests and weren't already monitoring the Postal processes.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ro78 picture ro78  路  4Comments

BlueHatbRit picture BlueHatbRit  路  3Comments

moskoweb picture moskoweb  路  6Comments

masihfathi picture masihfathi  路  5Comments

harshweo picture harshweo  路  6Comments