docker-mailserver: SSL_accept error server won't sent anymore

My mail server no longer sends mails. This morning it was still working and now nothing works at all. I recently renewed the Letsencrypt certificates because they had expired. I don’t know if it has anything to do with that. Now no more e-mails can be sent following error:



Sep  6 19:42:40 mail-server postfix/smtps/smtpd[1830]: SSL_accept error from static.43.231.16.95.clients.your-server.de[95.216.204.62]: lost connection
Sep  6 19:42:40 mail-server postfix/smtps/smtpd[1830]: lost connection after CONNECT from static.43.231.16.95.clients.your-server.de[95.216.204.62]
Sep  6 19:42:40 mail-server postfix/smtps/smtpd[1830]: disconnect from static.43.231.16.95.clients.your-server.de[43.231.16.95] commands=0/0```

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 17 (10 by maintainers)

Most upvoted comments

But if I use mail-server.skysmtp.ch, it works! Can someone tell me why and if I can change that?

  • mail-server.skysmtp.ch is your mail-server hostname and what it should advertise itself as when sending mail to other mail-servers. When sending mail, usually the mail-server is not expected to verify the senders TLS certificate as far as I know. But the mail client (like ThunderBird, Roundcube, and perhaps services like Nextcloud) may connect expecting TLS certificate to be valid/correct.
  • When mail is sent to you at user@skysmtp.ch it will look at DNS MX record, which should be pointing to the DNS A record mail-server.skysmtp.ch. If anything requires TLS / SSL certificate to connect to your mail-server it should be for this FQDN (mail-server.skysmtp.ch).

I always used “skysmtp.ch” as “host” because that should also be the main domain (“domainname: skysmtp.ch”).

This is not correct.

domainname last I checked for docker and docker-compose is not a web domain name, but NIS domain name, very different things. We try to discourage this and suggest using hostname only, hostname: mail-server.skysmtp.ch. It should not make any difference with our configuration though.

When our container starts, it will understand both hostname-only or hostname+domainname, and it will remove the first value before the . so internally it should always be split to mail-server and skysmtp.ch. That 2nd value is used for your mail address user@skysmtp.ch.

Your DNS records such as SPF should authorize mail-server.skysmtp.ch to send, and MX record to mail-server.skysmtp.ch to receive.

Edit: Now it doesn’t work with a new WordPress site, although the settings are 100% the same as the other one.

What doesn’t work? Your wordpress site should be using an FQDN in the certificate that matches it, such as blog.skysmtp.ch or if you serve it at skysmtp.ch/blog/ then it should use the skysmtp.ch certificate.

Only docker-mailserver container needs mail-server.skysmtp.ch. With LetsEncrypt, anything else should have LetsEncrypt CA certificates installed (this is common on most OS) and it will be able to verify your certificate when connecting.

TLS_LEVEL=intermediate

This will relax the cipher suites and TLS protocols we allow. It is intended for old devices or services that aren’t able to use better TLS security.

With the default TLS_LEVEL=modern, we only allow TLS 1.2 or higher, and our TLS 1.2 cipher-suite is restricted to best practice choices (last I checked it followed what OWASP and Mozilla advise, and I made sure to understand it well for mail-server use).

It shouldn’t make any difference if nothing in your setup has changed, as that would be a regression from some software to use less secure cipher-suite or protocol.

ECDSA

This is quite possible. I think I remember LetsEncrypt talking about switching over from RSA to ECDSA certificates as their new default.

Some services may still not have ECDSA support, or they do but their cipher suite support for it is not as good. Using TLS_LEVEL=intermediate may help in that case. If it does please let me know.

You can inspect your certificate in the web browser to see what type LetsEncrypt has given you for skysmtp.ch.

You can also use the step-cli certificate inspect program to check your certificate (from the URI or directly against the certificate file). If you do share any of that with us, be careful not to share your private key (this is like a password, and bad for anyone else to know), only the public key (this is the certificate presented to any software that requests it).

You can see this document of ours that I wrote. It uses the step-cli tool to create self-signed certificate for testing, and there is “Certificate details” you can click to view the certificate inspect output. You want to know which one of these you get:

RSA 2048-bit certificate:

        Subject Public Key Info:
            Public Key Algorithm: RSA
                Public-Key: (2048 bit)

ECDSA 256-bit certificate:

        Subject Public Key Info:
            Public Key Algorithm: ECDSA
                Public-Key: (256 bit)

That is the only information we’re interested in.

+1
polarathene on Sep 7, 2022

You could try: TLS_LEVEL=intermediate

See also: https://community.letsencrypt.org/t/ssl-accept-error-postfix/85423/8

Maybe the new certificates are ECDSA and that is causing problems?

+1
casperklein on Sep 7, 2022

Have you made sure that the certificate still includes mail-server.skysmtp.ch?

I didn’t know which certificate was required, so I have one for “skysmtp.ch” and one for “mail-server.skysmtp.ch”.

+1
Skyfay on Sep 7, 2022
Read more comments on GitHub
← docker-mailserver: Spoof failure with valid account and sender address
docker-mailserver: SSL_accept error TLS library problem: error:1408A0C1:SSL routines →