• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved TLS/SNI issue receiving emails from google

G

gregconway

Basic Pleskian
Hello everybody!

I have an issue with one Plesk server (CentOS 8.3.2011 / Plesk Obsidian, both fully updated) where I cannot receive emails from google addresses.

This is happening for all Domains on the server. Some have LE certs, some have real certs.

If I move my test Domain to another Plesk server (configured by the same script) then this domain can receive emails from google without issues. In fact all the emails I sent previously then arrive, so the emails are being deferred not rejected.

Here's the mail log for one of the emails that was rejected:

Dec 10 20:51:37 prey postfix/smtpd[6477]: connect from mail-lj1-f180.google.com[209.85.208.180]
Dec 10 20:51:38 prey postfix/smtpd[6477]: warning: TLS library problem: error:0908F066: PEM routines:get_header_and_data:bad end line:crypto/pem/pem_lib.c:852:
Dec 10 20:51:38 prey postfix/smtpd[6477]: warning: error loading private keys and certificates from: SNI data for mail.domain.com: aborting TLS handshake
Dec 10 20:51:38 prey postfix/smtpd[6477]: SSL_accept error from mail-lj1-f180.google.com[209.85.208.180]: -1
Dec 10 20:51:38 prey postfix/smtpd[6477]: warning: TLS library problem: error:1422E0EA:SSL routines:final_server_name:callback failed:ssl/statem/extensions.c:1006:
Dec 10 20:51:38 prey postfix/smtpd[6477]: lost connection after STARTTLS from mail-lj1-f180.google.com[209.85.208.180]
Dec 10 20:51:38 prey postfix/smtpd[6477]: disconnect from mail-lj1-f180.google.com[209.85.208.180] ehlo=1 starttls=0/1 commands=1/2

My googling suggests there is something wrong with the certificate but I've regenerated the paid (Sectigo) cert with no effect, and as I said I cannot email any Domain on the server from a google address.

Does anybody have any ideas what is happening here? And how I might fix it?! :)

Thanks!
 
Just a thought:
"bad end line:crypto/pem" could that the
-----END CERTIFICATE-----
is missing or slightly different from that spelling (e.g. a dash missing). However, this could also be in another part of the certificate set, e.g. the private key. Have you manually edited some of this?
 
And have you checked that the ending of one is not immediately followed by the beginning of the next like
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
which should correctly be
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
?
 
Hi Peter,
Thanks for the suggestion.
I'd found the same articles and had trawled through many .pem files looking for ---- instead of -----, but I never found it.
In the end I found I hadn't secured various website mail servers sites with the LE SSL certs, which I found because I had very few sni entries in /etc/dovecot/conf.d.
I also had to bin my paid-for wildcard cert in favour of an LE cert to secure the main server.
Strangely this was the same on an identical server but it wasn't causing any issues over there.
Anyway - all resolved.
Thanks for answering! :)
 
You must log in or register to reply here.

Similar threads

V
Issue Mail settings for Nextcloud Extension (local Plesk/Postfix as relay)
Replies
0
Views
668
Volans
V
I
Issue Cannot receive and emails since Update to 18.0.58 Update #2
Replies
3
Views
364
Peter Debik
P
X
Issue Email sent from the other party is not dropped
Replies
3
Views
625
scsa20
scsa20
M
Question Unable to send mail (postfix)
Replies
0
Views
763
Manuxy
M
I
Question mails that get lost
Replies
7
Views
3K
Inma
I
Back
Top