0

So I set up a mail server on my VPS with cyberpanel and I can send emails manually through rainloop. I also have a program based on the lettre crate for Rust which runs perfectly fine on my own devices and correctly sends emails out through code. However when I try to run the program on my VPS, I get the following messages in my syslog.

globalfun postfix/smtps/smtpd[24656]: connect from localhost[::1]
globalfun postfix/smtps/smtpd[24656]: SSL_accept error from localhost[::1]: -1
globalfun postfix/smtps/smtpd[24656]: warning TLS library problem: error 14094418:SSL routines:ssl3_resl3_read_bytes: tlsv1 alert unknown ca:../ssl/rec/layer_s3.c:1543:SSL alert number 48:
globalfun postfix/smtps/smtpd[24656]: lost connection after CONNECT from localhost[::1]
globalfun postfix/smtps/smtpd[24656]: disconnect from localhost[::1] commands=0/0

I don't really understand why I can't send out emails through my program but it seems to have something to do with SSL. For reference, I have two servers on the same domain - one for my website which has an SSL installed through Let's Encrypt and another for the mail server which doesn't have SSL on it. That said, I don't think that's the issue as I can send emails through the mail server manually completely fine. Does anyone have any ideas as to what's wrong? Thanks in advance.

CrimsonTide0
  • 37
  • 1
  • 6

1 Answers1

0

globalfun postfix/smtps/smtpd[24656]: warning TLS library problem: error 14094418:SSL routines:ssl3_resl3_read_bytes: tlsv1 alert unknown ca:../ssl/rec/layer_s3.c:1543:SSL alert number 48:

Your client refuses to connect to your mail server since it does not trust the CA which issued the mail servers certificate. It notifies the server about this problem by sending a unknown ca TLS alert.

There can be various reasons for this. Typically it is either the use of a CA which is not trusted by the client which need to be fixed at the client (trust this CA) or at the server (use a certificate from a CA trusted by the client). Or the root CA is actually trusted but the server is not sending the intermediate certificates needed by the client to build the trust chain to this trusted root CA. This need to be fixed at the server.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Hi, it's been awhile but I thought I'd try again. I believe you're right in that the CA which issued the certificate isn't trusted. I have a Cyberpanel/RainLoop mail server established but it keeps generating self-signed SSL certificate whenever I use Cyberpanel to try to produce a SSL for the mail server. I have a working proper SSL certificate generated from nginx/certbot and am looking to use that certificate for my mail server but I can't seem to find where the reference to the mail server's certificate is. Do you have any ideas where it might be? I'd love to replace the file path. – CrimsonTide0 Sep 11 '21 at 00:09
  • I found the filepath and changed the certificate - here's to hoping it runs correctly now. – CrimsonTide0 Sep 11 '21 at 00:33
  • I changed the certificate to the one provided by certbot but I'm still getting the same error - the only difference is that I also receive a warning saying "TLS SNI localhost from localhost[::1] not matched, using default chain" before the SSL accept error. How do I add R3 to the list of trusted CAs on my VPS? – CrimsonTide0 Sep 11 '21 at 02:35
  • @CrimsonTide0: The client connects to `localhost` and thus expects a certificate matching `localhost`. You cannot just use an arbitrary certificate here. *"How do I add R3 to the list of trusted CAs on my VPS?"* - there is no generic VPS and there is no generic way to add CA's to a VPS. Moreover programming languages and even applications often come with their own idea where CA should be stored. – Steffen Ullrich Sep 11 '21 at 05:05
  • Is that why I'm getting a different error now: bad certificate? Can I just use certbot to generate a SSL for my mailserver (mail.globalfun.earth) and use that instead? Is that mailserver what localhost connects to? – CrimsonTide0 Sep 11 '21 at 16:34
  • @CrimsonTide0: All information I have is basically the error description from Postfix. I can only guess what may be the reason for the problem but barring any useful information about the client these remain only educated guesses. So don't expect reliable answers to your detailed questions. – Steffen Ullrich Sep 11 '21 at 16:58
  • Ok, I'll keep that in mind - that said I'd appreciate any help you can give me. How do I go about getting my VPN to trust a self-signed certificate? – CrimsonTide0 Sep 11 '21 at 18:23
  • @CrimsonTide0: *"How do I go about getting my VPN to trust a self-signed certificate?"* - this is a totally different question and should be asked as its own. Note though there is no single VPN technology and setup, so you need to be very specific when asking. – Steffen Ullrich Sep 11 '21 at 19:40