Debian – A TLS fatal alert has been received with exim4 in debian 9

debianeximlinodesmtpssl

I am trying to configure my server to send mail and I receive an "TLS fatal alert" error every time I try to send mail.

I have followed the steps indicated in this post related to my problem to try to overcome the problem, but it finally gives me the error that I describe:

apt install gnutls-bin
cd /etc/exim4/
certtool --generate-privkey --outfile exim.key
certtool --generate-request --load-privkey exim.key --outfile exim.csr

Common name: gestiondecorreos.es
the rest I leave it blank(enter)
url: http://www.cacert.org/
login to CACert => click on "Server Certificates" => New
It will ask you to paste in the certificate request: I paste the content of the exim.csr file.
CACert will ask you to confirm the hostname.
After that it will show a certificate in the resulting web page. Put the certificate in a new file named exim.crt

cd /etc/exim4/
chgrp Debian-exim exim.key
chmod g+r exim.key
vim /etc/exim4/conf.d/main/000_local (new file)
and insert inside:

MAIN_LOG_SELECTOR=+tls_cipher +tls_peerdn
MAIN_TLS_ENABLE=t

update-exim4.conf
/etc/init.d/exim4 restart

I try to connect to my mail server by tls:

gnutls-cli -s -p 587 gestiondecorreos.es
ehlo gestiondecorreos.es
starttls
^D (ctr+d)

the error result:

*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `EMAIL=eguz*****@gmail.com,CN=server.example.com,OU=IT,O=Vesta Control Panel,L=San Francisco,ST=California,C=US', issuer `EMAIL=eguz*****@gmail.com,CN=server.example.com,OU=IT,O=Vesta Control Panel,L=San Francisco,ST=California,C=US', serial 0x0086e738bec1714309, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-02-04 15:42:00 UTC', expires `2021-02-03 15:42:00 UTC', key-ID `sha256:6095e39dc286060d74d300f494814744d803ad2f5c55587ca38a2d7ed2b58194'
   Public Key ID:
      sha1:5f4b******************
      sha256:6095****************
   Public key's random art:
      +--[ RSA 4096]----+
      |        ..o    .o|
      |       .   o   +.|
      *******************
      |             .oo.|
      +-----------------+

- Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed

I dont know why appear CN=server.example.com like subject.

The /var/log/exim4/mainlog file said:

TLS error on connection from lixxxxxx.members.linode.com ([127.0.0.1]) [xxxxxxxxxxx] (gnutls_handshake): A TLS fatal alert has been received.

In my linode-vps the main domain is gestiondecorreos.es and orbelanet.com is another domain i am running smtp tests on.

Thanks in advance!
Mikel

Best Answer

attempted solution:

Change hostname (in vestacp): (server => gestiondecorreos.es, my main domain in server ):

/usr/local/vesta/bin/v-change-sys-hostname gestiondecorreos.es
installing letsencrypt in gestiondecorreos.es:

/usr/local/vesta/bin/v-add-letsencrypt-domain 'admin' gestiondecorreos.es '' 'yes'

apply the ssl certificate installed in the previous step in vesta, exim and dovecot:

/usr/local/vesta/bin/v-update-host-certificate admin gestiondecorreos.es

add "update_hostname_ssl='yes'" in /usr/local/vesta/conf/vesta.conf:

echo "UPDATE_HOSTNAME_SSL='yes'" >> /usr/local/vesta/conf/vesta.conf

This will tell Vesta to update SSL to Vesta, Exim and dovecot daemons every time when SSL is renewed. This will happen automatically

the solution

when recreating, with the previous steps, the exim.key, exim.csr and exim.crt files and performing the tls mail service test with gnutls-cli -s -p 587 gestiondecorreos.es this time it does not give an error, everything OK.
but when trying to send a new email it gives us the following error:

H=lixxxxxxxx.linode.com ([127.0.0.1]) [172.xxxxxxxxxx] X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 CV=no rejected MAIL <xxxx@xxxxxxxx>: Helo name contains a ip address (HELO was [127.0.0.1]) and not is valid
the solution has I keep disabling the following lines in /etc/exim4/exim4.conf:

\# deny condition = ${if eq{$sender_helo_name}{}}
\# message = HELO required before MAIL

\# drop message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid
\# condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}}
\# condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}}
\# delay = 45s

\# drop condition = ${if isip{$sender_helo_name}}
\# message = Access denied - Invalid HELO name (See RFC2821 4.1.3)

restart exim4:

service exim4 restart

And now I can send email without problem!

Best Answer

Related Solutions

Debian – configuring dnsbl for exim4 (on debian)

Debian – can not sending mail with exim4 in debian

Related Topic