Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Maddy returns TLS Internal Error to valid handshakes on SMTP STARTTLS #467

Closed
ptrcnull opened this issue Mar 14, 2022 · 4 comments · Fixed by #468
Closed

Maddy returns TLS Internal Error to valid handshakes on SMTP STARTTLS #467

ptrcnull opened this issue Mar 14, 2022 · 4 comments · Fixed by #468
Labels
bug Something isn't working.

Comments

@ptrcnull
Copy link
Contributor

Describe the bug

When an external server tries to deliver a message with missing server_name TLS extension, Maddy responds with TLSv1.2 Alert message, description 0x50 (Internal Error)

Steps to reproduce

  • launch maddy with STARTTLS on SMTP enabled
  • run openssl s_client -noservername -starttls smtp -crlf mailserver:25

Log files

2022-03-14T22:23:58.873Z smtp: 220 mail.torastian.com ESMTP Service Ready
2022-03-14T22:23:58.899Z smtp: EHLO mail.example.com
2022-03-14T22:23:58.900Z smtp: 250-Hello mail.example.com
2022-03-14T22:23:58.900Z smtp: 250-PIPELINING
2022-03-14T22:23:58.900Z smtp: 250-8BITMIME
2022-03-14T22:23:58.900Z smtp: 250-ENHANCEDSTATUSCODES
2022-03-14T22:23:58.900Z smtp: 250-CHUNKING
2022-03-14T22:23:58.900Z smtp: 250-STARTTLS
2022-03-14T22:23:58.900Z smtp: 250-SMTPUTF8
2022-03-14T22:23:58.900Z smtp: 250 SIZE 33554432
2022-03-14T22:23:58.926Z smtp: STARTTLS
2022-03-14T22:23:58.927Z smtp: 220 2.0.0 Ready to start TLS
2022-03-14T22:23:58.954Z smtp: 550 5.0.0 Handshake error

Configuration file

Config 
## Maddy Mail Server - default configuration file (2021-08-16)
# Suitable for small-scale deployments. Uses its own format for local users DB,
# should be managed via maddyctl utility.
#
# See tutorials at https://maddy.email for guidance on typical
# configuration changes.
#
# See manual pages (also available at https://maddy.email) for reference
# documentation.

# ----------------------------------------------------------------------------
# Base variables

$(hostname) = mail.torastian.com
$(primary_domain) = ptrcnull.me
$(local_domains) = $(primary_domain)

tls.loader.acme local_tls {
    email letsencrypt@ptrcnull.me
    agreed
    challenge dns-01
    dns cloudflare {
        api_token "<token>"
    }
}


# ----------------------------------------------------------------------------
# Local storage & authentication

auth.pass_table local_authdb {
    table sql_table {
        driver sqlite3
        dsn credentials.db
        table_name passwords
    }
}

storage.imapsql local_mailboxes {
    driver sqlite3
    dsn imapsql.db
    appendlimit 128M
}

# ----------------------------------------------------------------------------
# SMTP endpoints + message routing

hostname $(hostname)

msgpipeline inbound_routing {
  destination $(my_domains) {
    modify {
      replace_rcpt regexp ".*" "patrycja@ptrcnull.me"
    }
    deliver_to &local_mailboxes
  }

  default_destination {
    reject 550 5.1.1 "User does not exist"
  }
}

smtp tcp://0.0.0.0:25 {
    tls &local_tls

    io_debug yes
    debug yes
    
    limits {
        # Up to 20 msgs/sec across max. 10 SMTP connections.
        all rate 20 1s
        all concurrency 10
    }

    # dmarc yes
    check {
        require_mx_record
        # dkim
        # spf
    }

    default_source {
        deliver_to &inbound_routing
    }
}

table.chain submission_users {
  optional_step regexp ".*@ptrcnull.me" "patrycja@ptrcnull.me"
}

submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
    tls &local_tls

    limits {
        # Up to 50 msgs/sec across any amount of SMTP connections.
        all rate 50 1s
    }

    auth &local_authdb

    source $(local_domains) {
        check {
            authorize_sender {
                prepare_email &submission_users
                user_to_email identity
            }
        }

        destination postmaster $(local_domains) {
            deliver_to &inbound_routing
        }
        default_destination {
            modify {
                dkim $(primary_domain) $(local_domains) default
            }
            deliver_to &remote_queue
        }
    }
    default_source {
        reject 501 5.1.8 "Non-local sender domain"
    }
}

target.remote outbound_delivery {
    limits {
        # Up to 20 msgs/sec across max. 10 SMTP connections
        # for each recipient domain.
        destination rate 20 1s
        destination concurrency 10
    }
    mx_auth {
        dane
        mtasts {
            cache fs
            fs_dir mtasts_cache/
        }
        local_policy {
            min_tls_level encrypted
            min_mx_level none
        }
    }
}

target.queue remote_queue {
    target &outbound_delivery

    autogenerated_msg_domain $(primary_domain)
    bounce {
        destination postmaster $(local_domains) {
            deliver_to &inbound_routing
        }
        default_destination {
            reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
        }
    }
}

# ----------------------------------------------------------------------------
# IMAP endpoints

imap tls://0.0.0.0:993 tcp://0.0.0.0:143 {
    tls &local_tls
    auth &local_authdb
    storage &local_mailboxes
    # debug
    # io_debug
}

# ----------------------------------------------------------------------------
# Logging

log /var/log/maddy.log
#debug on

Environment information

  • maddy version: 0.5.4 (linux/amd64 go1.17.8)
@ptrcnull ptrcnull added the bug Something isn't working. label Mar 14, 2022
@ptrcnull
Copy link
Contributor Author

Adding debug logs to emersion/go-smtp revealed the actual error:

image

Looks like it's an issue with Maddy's use of certmagic - it shouldn't guess which certificate to use from Go's ClientHelloInfo when the hostname directive is set

@ptrcnull ptrcnull mentioned this issue Mar 14, 2022
Merged
@Damaj301damaj-lol
Copy link

I am having this issue only when trying to use HTTPS on telnet, i get this output

mohamad@The301Phone ~ % telnet mailservee 587
Trying mailserver...
Connected to mailserver.
Escape character is '^]'.
220 mailserver ESMTP Service Ready
helo mailserver
250 2.0.0 Hello mailserver
STARTTLS
220 2.0.0 Ready to start TLS
auth login
550 5.0.0 Handshake error
quit
221 2.0.0 Bye
Connection closed by foreign host.

However when using the openssl command above, it works:

helo damaj.tech
250 2.0.0 Hello mailserver
STARTTLS
502 5.5.1 Already running in TLS
auth login
334 insertsomebase64text

@ptrcnull
Copy link
Contributor Author

not really related to the original issue.
in your case, you can't upgrade to a TLS connection with telnet(1) simply open in your terminal, because it doesn't support that; you would have to perform the handshake and encryption manually, sending raw bytes

@Damaj301damaj-lol
Copy link

I see, hm, now i am really starting to think on why i am unable to receive mail, i can only send mail

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something isn't working.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

tls/acme: set default hostname ptrcnull/maddy
2 participants
@ptrcnull @Damaj301damaj-lol