I'm going crazy, and I need your help please.
I have 2 servers under Gentoo with the same versions of postfix, dovecot, openssl, kernel etc... On one of the 2, SMTP authentication does not work, while it works without problem on the other. However, the configuration differences are relatively trivial (in my opinion). There must be something blocking it, but I can't find what. Each server has its ssl certificate (cerbot)
I always get this:
RENEGOTIATING
4017ADA99C7F0000:error:0A00010A:SSL routines:can_renegotiate:wrong ssl version:../openssl-3.0.10/ssl/ssl_lib.c:2304:
What is this RENEGOTIATING? I have seen in several places that TLSv1.3 does not allow renegotiation but why don't I have this problem on the other server as well?
Complete log:
# openssl s_client -starttls smtp -connect vpsmail.*******.***:25
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = vpsmail.*******.***
verify return:1
---
Certificate chain
0 s:CN = vpsmail.*******.***
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 26 20:20:48 2023 GMT; NotAfter: Dec 25 20:20:47 2023 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEJjCCAw6gAwIBAgISA7FUVUfdP7/DNm2LPY+7oim/MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA5MjYyMDIwNDhaFw0yMzEyMjUyMDIwNDdaMB0xGzAZBgNVBAMT
EnZwc21haWwubm92YXp1ci5mcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBJN
sgvQ0N/3F7q8W+9pG2TblcWB6o6JhJQ5ZpMREUkyr/ljV7Mrdv/AmPbPZdfr2Xpm
1o89HsUL9ygZyBY+qhKjggIUMIICEDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFMhT
YCju6AOyqsgNaSq/Zf9aYTg7MB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52L
FMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVu
Y3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMB0GA1Ud
EQQWMBSCEnZwc21haWwubm92YXp1ci5mcjATBgNVHSAEDDAKMAgGBmeBDAECATCC
AQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ALc++yTfnE26dfI5xbpY9Gxd/ELPep81
xJ4dCYEl7bSZAAABitNdtcIAAAQDAEcwRQIgWdy1c2lJ6Ky0iH3wgpgWd8fce/1O
qHWDBgW6ur/t6NYCIQDloJYOS9ByGnjsSeeAHdY5t6ookL5To3eJoMiqzTXN6QB2
AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAABitNdtbcAAAQDAEcw
RQIhALN6mswTqKXKfpGmel4TyPC9K+RYzoccgc+VTVy7BdfgAiAa+CZSr5anmB1v
hMFnPEz+SWrfxlKp3rjjtDqzX/hVujANBgkqhkiG9w0BAQsFAAOCAQEATHAVGmMz
TnStZpQbW4Yu4iWmyQpkyLqtfJ2iYu4Fjzrxe3xS9oPYF0XBE/969QyByhuHOSe0
ow7YJaWaflbmMd7QHAOWNR68U20ZsCbxSscZuU1BXCqbvxOSKqKQWH1ioJVjm9Iv
rhvSShp6z5gT8kbrFYodPua/fdZxG0mzWB2neB3NYcD6d42xf46/kFdYSEdxkT1h
wUu2ZhAc7eD1DjkKsv5TRuFYYj7SswmjY7PDm1MXNSkt8CRy/LQP5QxBN337s0Fw
XW5V13iu4KprORFwTwAMrmnpPzFTKLkiZQNVJmT0fxJBs7/c+PBwjEkaiPmgsCMS
BRKltB7zcqjLlA==
-----END CERTIFICATE-----
subject=CN = vpsmail.*******.***
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4392 bytes and written 437 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 1ED0E0455FEB4B8576383E3C5450C1EBCFD845274EF9999876F3D5BA4932F2D1
Session-ID-ctx:
Resumption PSK: 08ACC2CA0712DEDB0F3D02A652169EADEBE9ECB0A65CED6C91D632CE5888F3C0C9FF1E4D820F4299EE474BC09F126EC3
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 1c 84 cb cf 51 c2 4e 58-bc ba 48 68 14 a4 62 d3 ....Q.NX..Hh..b.
0010 - 3a 16 a7 3b b1 09 64 41-a8 a5 f7 09 2c 3d 20 45 :..;..dA....,= E
0020 - 2e 5e 71 39 a8 4d 39 e2-5a cd 03 5b db fc 98 f2 .^q9.M9.Z..[....
0030 - e0 3c b1 ec 0c f6 45 ae-8c 1e 6b b7 96 a1 e3 23 .<....E...k....#
0040 - 89 59 da cd d6 e6 a2 ec-06 bb 7a 5a 91 2a d3 6c .Y........zZ.*.l
0050 - 3f 34 78 8b 27 dd 23 5d-01 fd fb 89 e7 60 fa 9f ?4x.'.#].....`..
0060 - 6d 5c 11 70 e8 d0 20 d0-98 96 bf 04 b8 9b b7 2d m\.p.. ........-
0070 - 85 fd 7f 21 05 e7 00 3a-3b ce 61 92 a5 09 c3 6f ...!...:;.a....o
0080 - cc 48 73 47 d4 bc 1c 21-08 8c 4b c6 79 92 ca e2 .HsG...!..K.y...
0090 - 43 53 62 f1 6f 51 d4 5c-c2 ea 0d 55 2b c4 cb ad CSb.oQ.\...U+...
00a0 - 54 95 d6 22 66 13 18 46-9f 5c e3 96 4e 94 66 dc T.."f..F.\..N.f.
00b0 - 6f 21 ae fb 03 84 92 59-c7 76 f6 73 6b f8 b8 4f o!.....Y.v.sk..O
00c0 - 0a 0a ee 02 e8 27 b1 1f-c3 50 38 cc bc 7d 5d 07 .....'...P8..}].
Start Time: 1695763400
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
AUTH LOGIN
334 VXNlcm5hbWU6
###username_coded_base64###
334 UGFzc3dvcmQ6
###password_coded_base64###
RENEGOTIATING
4017ADA99C7F0000:error:0A00010A:SSL routines:can_renegotiate:wrong ssl version:../openssl-3.0.10/ssl/ssl_lib.c:2304:
configuration difference between the 2 postfix servers:
@@ -1,6 +1,4 @@
-authorized_submit_users = !halt, static:all
body_checks = regexp:/etc/postfix/body_checks
-broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
@@ -8,53 +6,52 @@
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
-delay_warning_time = 4
-fallback_relay = [smtp.orange.fr]
header_checks = regexp:/etc/postfix/header_checks
+home_mailbox = mail/
html_directory = no
inet_protocols = ipv4
-luser_relay = postmaster
+luser_relay = postmaster@********.***
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail -Y -a $DOMAIN
mailbox_size_limit = 204800000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
-masquerade_domains = $mydomain $myorigin
+maximal_queue_lifetime = 30d
message_size_limit = 102400000
meta_directory = /etc/postfix
-mydestination = pcre:/etc/postfix/mydestinations
+mydestination = localhost.$mydomain, localhost
mydomain = ********.***
-myhostname = mail.********.***
-mynetworks = 192.168.0.0/21, 127.0.0.0/8
-myorigin = $mydomain
+myhostname = vpsmail.********.***
+mynetworks_style = host
+myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc_maps
-relay_domains = $mydestination
-relayhost = [smtp.orange.fr]
+recipient_canonical_maps = hash:/etc/postfix/recipient_canonical_maps
+relay_domains = $mydomain ********.***
+relay_recipient_maps = hash:/etc/postfix/relay_recipients
+ regexp:/etc/postfix/relay_recipients-regexp
sample_directory = /etc/postfix
sender_bcc_maps = hash:/etc/postfix/sender_bcc_maps
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix/${mail_version}
-smtp_sasl_auth_enable = yes
-smtp_sasl_password_maps = hash:/etc/postfix/saslpass
-smtp_sasl_security_options = noanonymous
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_recipient_restrictions = check_recipient_access
- hash:/etc/postfix/bad_recipients permit_mynetworks permit_sasl_authenticated
- reject_non_fqdn_recipient reject_unknown_recipient_domain
+ hash:/etc/postfix/bad_recipients permit_mynetworks reject_non_fqdn_recipient
+ reject_non_fqdn_sender permit_sasl_authenticated reject_non_fqdn_recipient
+ reject_unknown_sender_domain reject_unknown_recipient_domain
reject_unauth_destination reject_unauth_pipelining reject_rbl_client
noptr.spamrats.com reject_rbl_client spam.spamrats.com reject_rbl_client
dyna.spamrats.com check_sender_access hash:/etc/postfix/sender_access
smtpd_relay_restrictions =
- permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination
+ permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myorigin
@@ -63,16 +60,12 @@
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
-smtpd_tls_cert_file = /etc/letsencrypt/live/mail.********.***/fullchain.pem
-smtpd_tls_key_file = /etc/letsencrypt/live/mail.********.***/privkey.pem
+smtpd_tls_cert_file = /etc/letsencrypt/live/vpsmail.********.***/fullchain.pem
+smtpd_tls_key_file = /etc/letsencrypt/live/vpsmail.********.***/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
-transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_sender_reject_code = 550
-virtual_alias_domains = ********.***
-virtual_alias_maps = hash:/etc/postfix/virtual
- regexp:/etc/postfix/virtual-regexp
Versions:
postfix-3.8.1
dovecot-2.3.20-r1
openssl-3.0.10
Thanks in advance