Skip to content

[BUG] TLS_LEVEL not working #2674

Closed
Closed
[BUG] TLS_LEVEL not working#2674
Assignees
polarathene
Labels
area/securityissue/limited supportDue to a specific configuration on the user side only limited support is offeredkind/questionSomeone asked a question - feel free to answerpriority/lowservice/postfix
@king-jam

Description

@king-jam
king-jam
opened on Jul 6, 2022

Miscellaneous first checks

  • I checked that all ports are open and not blocked by my ISP / hosting provider.
  • I know that SSL errors are likely the result of a wrong setup on the user side and not caused by DMS itself. I'm confident my setup is correct.

Affected Component(s)

TLS_LEVEL

What happened and when does this occur?

Enabled TLS_LEVEL=intermediate per these instructions. https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/#tls_level. I attempted to test that it worked with:

`openssl s_client -connect mail.i.king-jam.io:465 -tls1_3` - good
`openssl s_client -connect mail.i.king-jam.io:465 -tls1_2` - good
`openssl s_client -connect mail.i.king-jam.io:465 -tls1_1` - no protocols available
`openssl s_client -connect mail.i.king-jam.io:465 -tls1` - no protocols available
`openssl s_client -starttls smtp -crlf -connect mail.i.king-jam.io:587 -tls1_3` - good
`openssl s_client -starttls smtp -crlf -connect mail.i.king-jam.io:587 -tls1_2` - good
`openssl s_client -starttls smtp -crlf -connect mail.i.king-jam.io:587 -tls1_1` - no protocols available
`openssl s_client -starttls smtp -crlf -connect mail.i.king-jam.io:587 -tls1` - no protocols available

What did you expect to happen?

I expected TLS_LEVEL to allow TLS 1.1 and TLS 1 support.

How do we replicate the issue?

1. Start up with without TLS_LEVEL set.
2. See there is a client issue.
3. Add TLS_LEVEL and do a docker compose up (forcing a recreate)

DMS version

v11.1.0

What operating system is DMS running on?

Linux

What instruction set architecture is DMS running on?

x86_64 / AMD64

What container orchestration tool are you using?

Docker Compose

docker-compose.yml

version: '3.8'

services:
  mailserver:
    image: docker.io/mailserver/docker-mailserver:latest
    container_name: mailserver
    hostname: mail
    # Change this to your domain, it is used for your email accounts (eg: [email protected]):
    domainname: i.king-jam.io
    ports:
      - "25:25"
      - "587:587"
      - "465:465"
    volumes:
      - ./docker-data/dms/mail-data/:/var/mail/
      - ./docker-data/dms/mail-state/:/var/mail-state/
      - ./docker-data/dms/mail-logs/:/var/log/mail/
      - ./docker-data/dms/config/:/tmp/docker-mailserver/
      # The "from" path will vary based on where your certs are locally:
      - ./docker-data/certbot/certs/:/etc/letsencrypt
      - /etc/localtime:/etc/localtime:ro
    environment:
      - ENABLE_FAIL2BAN=1
      # Using letsencrypt for SSL/TLS certificates
      - SSL_TYPE=letsencrypt
      # Allow sending emails from other docker containers
      # Beware creating an Open Relay: https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/#permit_docker
      - PERMIT_DOCKER=network
      # All env below are default settings:
      - ONE_DIR=1
      - ENABLE_POSTGREY=0
      - ENABLE_CLAMAV=0
      - ENABLE_SPAMASSASSIN=0
      # You may want to enable this: https://docker-mailserver.github.io/docker-mailserver/edge/config/environment/#spoof_protection
      # See step 8 below, which demonstrates setup with enabled/disabled SPOOF_PROTECTION:
      - SPOOF_PROTECTION=0
      - TLS_LEVEL=intermediate
    cap_add:
      - NET_ADMIN # For Fail2Ban to work

Relevant log output

connect from dhcp-0-1b-21-56-5e-6d.cpe.norwoodlight.com[199.254.125.241]
mailserver  | Jul  6 12:28:11 mail postfix/submission/smtpd[1503]: SSL_accept error from dhcp-0-1b-21-56-5e-6d.cpe.norwoodlight.com[199.254.125.241]: -1
mailserver  | Jul  6 12:28:11 mail postfix/submission/smtpd[1503]: warning: TLS library problem: error:140940F4:SSL routines:ssl3_read_bytes:unexpected message:../ssl/record/rec_layer_s3.c:1476:
mailserver  | Jul  6 12:28:11 mail postfix/submission/smtpd[1503]: lost connection after STARTTLS from dhcp-0-1b-21-56-5e-6d.cpe.norwoodlight.com[199.254.125.241]
mailserver  | Jul  6 12:28:11 mail postfix/submission/smtpd[1503]: disconnect from dhcp-0-1b-21-56-5e-6d.cpe.norwoodlight.com[199.254.125.241] ehlo=1 starttls=0/1 commands=1/2

Other relevant information

No response

What level of experience do you have with Docker and mail servers?

  • I am inexperienced with docker
  • I am inexperienced with mail servers
  • I am uncomfortable with the CLI

Code of conduct

Improvements to this form?

No response

Metadata

Metadata

Assignees

Labels

area/securityissue/limited supportDue to a specific configuration on the user side only limited support is offeredkind/questionSomeone asked a question - feel free to answerpriority/lowservice/postfix

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions