Secure connection to mailserver won't work

[Falko_Braune]

I'm using plesk with CentOS 6.6 and the postfix/courier mail services

I tried to connect an existing mail account with a mail program like thunderbird.
But I'm not able to connect to it, except when I'm using "no connection security"

So I tried, if manually contacting the POP3s Port is working:

openssl s_client -ssl3 -host mail.domain.de -port 995

with the following result:

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1424184294
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

the same results come for trying to connect to port 465 (ssmtp) and 993 (imaps)
port 443 (https) seems to work fine

i already checked if the corresponding certificates exist (e.g. /usr/share/imapd.pem) and filled with the standard certificate informtaion given by plesk

checking openssl on the server gives the following result:

# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

is there anything I have missed to configure?

 

[abdi]

Find the Postfix main.cf file (/etc/postfix/main.cf) and set:

smtpd_tls_security_level = may

If TLS is being enforced via the Postfix config, smtpd_tls_security_level will be set to encrypt. may makes it optional.

http://www.postfix.org/TLS_README.html

 

[Falko_Braune]

I already set this option and connecting to the mailserver without tls works fine for me.
I really DO want to make secure connections work.

I looked into the log file and found this after trying to connect via openssl

Feb 17 17:33:12 s18146878 postfix/smtpd[32587]: connect from unknown[myIP]
Feb 17 17:33:12 s18146878 postfix/smtpd[32587]: setting up TLS connection from unknown[myIP]
Feb 17 17:33:12 s18146878 postfix/smtpd[32587]: SSL_accept error from unknown[myIP]: 0
Feb 17 17:33:12 s18146878 postfix/smtpd[32587]: warning: TLS library problem: 32587:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1259:SSL alert number 46:
Feb 17 17:33:12 s18146878 postfix/smtpd[32587]: lost connection after CONNECT from unknown[myIP]
Feb 17 17:33:12 s18146878 postfix/smtpd[32587]: disconnect from unknown[myIP]

 

[UFHH01]

Hi Falko_Braune,

first of all, please update your openssl version to the most recent one, because of several vulnerabilities. Please see as well:

[Plesk] CVE-2014-3566: POODLE attack exploiting SSL 3.0 fallback ( KB - article: 123 160 )​

In some cases you might experience issues with incompatibilities for some browser and/or eMail - clients, after you followed the KB - article 123 160. It might help to read:

SSL POODLE / SSLv3 bug ( Parallels Forum - Link )​

... to solve such issues, because there are several additional solutions provided in this thread.

 

[abdi]

There might be some broken or missing handlers. Try rebuilding them:

- backup content of

/usr/local/psa/handlers/before-local/
/usr/local/psa/handlers/before-queue/
/usr/local/psa/handlers/info/

directories just in case.

- delete all from these directories.
- rebuild mail settings and handlers with

/usr/local/psa/admin/sbin/mchk --with-spam

I hope it will help. If not just switch Postfix to Qmail.