I am trying to configure my server to send mail and I receive an "TLS fatal alert" error every time I try to send mail.
I have followed the steps indicated in this post related to my problem to try to overcome the problem, but it finally gives me the error that I describe:
apt install gnutls-bin
cd /etc/exim4/
certtool --generate-privkey --outfile exim.key
certtool --generate-request --load-privkey exim.key --outfile exim.csr
-
Common name: gestiondecorreos.es
-
the rest I leave it blank(enter)
-
login to CACert => click on "Server Certificates" => New
-
It will ask you to paste in the certificate request: I paste the content of the exim.csr file.
-
CACert will ask you to confirm the hostname.
-
After that it will show a certificate in the resulting web page. Put the certificate in a new file named exim.crt
cd /etc/exim4/
chgrp Debian-exim exim.key
chmod g+r exim.key
vim /etc/exim4/conf.d/main/000_local (new file) -
and insert inside:
MAIN_LOG_SELECTOR=+tls_cipher +tls_peerdn
MAIN_TLS_ENABLE=tupdate-exim4.conf
/etc/init.d/exim4 restart
I try to connect to my mail server by tls:
gnutls-cli -s -p 587 gestiondecorreos.es
ehlo gestiondecorreos.es
starttls
^D (ctr+d)
- the error result:
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `EMAIL=eguz*****@gmail.com,CN=server.example.com,OU=IT,O=Vesta Control Panel,L=San Francisco,ST=California,C=US', issuer `EMAIL=eguz*****@gmail.com,CN=server.example.com,OU=IT,O=Vesta Control Panel,L=San Francisco,ST=California,C=US', serial 0x0086e738bec1714309, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-02-04 15:42:00 UTC', expires `2021-02-03 15:42:00 UTC', key-ID `sha256:6095e39dc286060d74d300f494814744d803ad2f5c55587ca38a2d7ed2b58194'
Public Key ID:
sha1:5f4b******************
sha256:6095****************
Public key's random art:
+--[ RSA 4096]----+
| ..o .o|
| . o +.|
*******************
| .oo.|
+-----------------+
- Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
I dont know why appear CN=server.example.com like subject.
The /var/log/exim4/mainlog file said:
TLS error on connection from lixxxxxx.members.linode.com ([127.0.0.1]) [xxxxxxxxxxx] (gnutls_handshake): A TLS fatal alert has been received.
In my linode-vps the main domain is gestiondecorreos.es and orbelanet.com is another domain i am running smtp tests on.
Thanks in advance!
Mikel
Best Answer
attempted solution:
Change hostname (in vestacp): (server => gestiondecorreos.es, my main domain in server ):
/usr/local/vesta/bin/v-change-sys-hostname gestiondecorreos.es
installing letsencrypt in gestiondecorreos.es:
/usr/local/vesta/bin/v-add-letsencrypt-domain 'admin' gestiondecorreos.es '' 'yes'
/usr/local/vesta/bin/v-update-host-certificate admin gestiondecorreos.es
add "update_hostname_ssl='yes'" in /usr/local/vesta/conf/vesta.conf:
echo "UPDATE_HOSTNAME_SSL='yes'" >> /usr/local/vesta/conf/vesta.conf
This will tell Vesta to update SSL to Vesta, Exim and dovecot daemons every time when SSL is renewed. This will happen automatically
the solution
when recreating, with the previous steps, the
exim.key
,exim.csr
andexim.crt
files and performing the tls mail service test withgnutls-cli -s -p 587 gestiondecorreos.es
this time it does not give an error, everything OK.but when trying to send a new email it gives us the following error:
H=lixxxxxxxx.linode.com ([127.0.0.1]) [172.xxxxxxxxxx] X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 CV=no rejected MAIL <xxxx@xxxxxxxx>: Helo name contains a ip address (HELO was [127.0.0.1]) and not is valid
the solution has I keep disabling the following lines in /etc/exim4/exim4.conf:
restart exim4:
service exim4 restart
And now I can send email without problem!