You are here
Hi
I installed Version 14.0 LAMP Stack on a MS Hyper-V-Cluster.
Then transferred an existing phpBB-board and updated it to the latest version (3.1.6). Everything works fine except for the connection to my smtp-server (which is supposed to send the e-mails from the board). Tried different ones with different settings (ports, auth method etc), got none working...
The failure logs in my board (below) show, that the connection to the server is established but when it comes to some TLS stuff something goes wrong with the connection and it breaks...
I suspect that it could have something to do with the "hardened default SSL/TLS setting" which is described as "technically TLS settings as all versions of SSL are now disabled." (from here: https://www.turnkeylinux.org/blog/turnkey-14-0-release).
I tried to set the "Compatible Cipher List recommended for older clients" in this file: /etc/apache2/mods-available/ssl.conf (and rebooted machine) but this didn't work either (form here: https://github.com/turnkeylinux/common/blob/master/conf/turnkey.d/zz-ssl...).
As I have the same board running as a test-site on a Turnkey Linux version 13.1 (on the MS Hyper-V-Cluster as well) wihtout any problems, I think it might has to do with the new tight security features in der version 14.0.
Now, I have no clue where to look further for some information on how to resolve the problem, the results of all search I did weren't of much help...
Can somebody guide me in a new direction? How can I disable (at least temporarily) the security features? Or some of them? Is this TLS-related at all...?
Do you need any further information on my system?
Thanks a lot for any help on that!
Chris
phpBBFailure logs from two different smtp servers:
Backtrace Connecting to mail.somedomain.ch:25 LINE: 1020 <- 220-websrv1.hostservers.ch ESMTP Exim 4.77 #2 Tue, 13 Oct 2015 23:44:29 +0200 LINE: 1020 <- 220-We do not authorize the use of this system to transport unsolicited, LINE: 1020 <- 220 and/or bulk e-mail. # EHLO lamp LINE: 1369 <- 250-websrv1.hostservers.ch Hello 213-193-80-20.static.cablecom.ch [213.193.80.20] LINE: 1369 <- 250-SIZE 52428800 LINE: 1369 <- 250-PIPELINING LINE: 1369 <- 250-AUTH PLAIN LOGIN LINE: 1369 <- 250-STARTTLS LINE: 1369 <- 250 HELP # STARTTLS LINE: 1414 <- 220 TLS go ahead # AUTH LOGIN LINE: 1493 <- 554 Security failure
Backtrace Connecting to mail.dachel.ch:587 LINE: 1020 <- 220 mail.dachel.ch Kerio Connect 8.3.3 ESMTP ready # EHLO lamp LINE: 1369 <- 250-mail.dachel.ch LINE: 1369 <- 250-AUTH CRAM-MD5 PLAIN LOGIN DIGEST-MD5 NTLM LINE: 1369 <- 250-STARTTLS LINE: 1369 <- 250-ENHANCEDSTATUSCODES LINE: 1369 <- 250-8BITMIME LINE: 1369 <- 250-PIPELINING LINE: 1369 <- 250-ETRN LINE: 1369 <- 250-DSN LINE: 1369 <- 250 HELP # STARTTLS LINE: 1414 <- 220 2.0.0 Ready to start TLS # AUTH LOGIN
check ports
I also had a connection problem for a service, when upgrading v13=>v14.
SSL / TLS is handled by stunnel now. Your service may need to to be 'directed through' stunnel. It will work on a fresh install, but may break when v13 configs are restored back to a v14 appliance.
see here v14.0 is different
Sounds like config issue to me
From a glance It looks to me like you are trying to send emails in the open (i.e. no TLS) and your SMTP requires TLS authentication. I would look at the sendmail settings...
[edited to fix a mistake in my text; I originally mistakenly wrote "sendmail" rather than "postfix" in my second sentence].
[solved] - Hardened default SSL/TLS setting
I received the notification about your answers only right now and have not checked manually before... So I also have a huge delay in my answer...
First of all: Thanks for your quick replies and your help!
I solved the problem a few days after my post by googling and trying other things -- and ended up in digging deeper into the Postfix configuration. To be honest: I haven't even documented what I did. At the end (after a few days of trying and trying and trying...) I was just happy everything worked. As far as I remember I configured the Postfix Server in a way that it sends the mails over another ("well configured") SMTP Server. It's probably not a very clever and clean solution, but it works...
And yes, TKL v14 IS indeed very different from previous versions, which were "a breeze" even for a complete linux newbie like me. It seems that security (and I totally agree that this is a very, very important issue...) takes it's toll...
With this: Thanks again!
Chris
Thanks for posting back Chris
Your solution of using a separate SMTP server is completely valid and legitimate. And we probably should have it documented.
The v14.0 appliances should still send emails OOTB. Although some ISPs block direct email sending; and also sometimes your host IP may have been blacklisted (this is common with dynamic IP addresses; particularly on services like AWS which are often abused by spammers).
Just to comment your answer
Just to comment your answer as well (forgot in th other post...):
The v14.0 appliance does send emails OOTB. The "problems" were exactly the ones you describe in your post (although in my case dynamic IPs were not the issue as I was on a fixed IP).
And I'm definitely sure you can configure the postfix mailserver in a way that all the issues are solved within the TKL appliance. I just took my solution with using an already existing (and working) mailserver because this was an "easier" solution for me to get it working.
I had to find a solution quickly for my forum, so once the "quick and dirty" solution worked, I was just happy with that and didn't dig deeper into anything else...
What I remember from the solution...
As I already said: I don't remember all the steps I made to get it to work...
But if you take all the information here, a couple of hours time and Google as your friend, hopefully you get it to work as well...
I looked it up and as far as I can remember and find out from history I can reproduce at least the following steps (don't remember the right order...):
and my /etc/postfix/main.cf looks like this:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = 123.456.789.111.static.anydomain.tld biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = name.domain.tld alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mydestination = localdomain, localhost, localhost.localdomain, localhost, name.domain.tld mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + myorigin = name.domain.tld inet_interfaces = all smtp_generic_maps = hash:/etc/postfix/generic # specify SMTP relay host relayhost = [mailserver.otherdomain.tld]:587 # enable SASL authentication smtp_sasl_auth_enable = yes # disallow methods that allow anonymous authentication. smtp_sasl_security_options = noanonymous # where to find sasl_passwd smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd # Enable STARTTLS encryption smtp_use_tls = yes # where to find CA certificates smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_sasl_type = dovecot # Can be an absolute path, or relative to $queue_directory # Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below smtpd_sasl_path = private/authAwesome
If you're using TurnKey, please sign up and start a new thread
If you're using TurnKey Linux and having an issue, please create a new user account, log in and start a new thread.
Please provide details on which appliance you're using, which version it is (if not sure post the output of 'turnkey-version'), where it's running (e.g. local VirtualBox VM, Hub cloud server, etc, etc), plus details on any customisation you may have done (probably don't need details at this point, just a general idea of what you've done).
Then please detail the problem you are having (feel free to post links to other threads that describe similar issue to yours). If you are seeing any errors or warnings anywhere please post them verbatim i.e. exactly as they are (ideally copy/paste the text; although screenshots can be attached to the first post in a thread if that's easier). Please also note where you saw the errors (e.g. in browser, log file, commandline, etc).
Then provide info on what you have tried already and what the results were (if any). Again please feel free to link to other posts that show similar experiences.
Armed with that info, we have a really good shot at diagnosing and fixing the issue! :)
Add new comment