[Solved] Postfix don't update SSL certificates causing thunderbird email sending issues

Christophe31 · April 22, 2022, 8:45pm

My YunoHost server

Hardware: Scaleway dedibox
YunoHost version: 11.0.6
I have access to my server : Through SSH
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : yes
If yes, please explain:
My server is was installed with backup restoration from a yunohost 4.X (up to date at the time)

Description of my issue

The postfix service did not loaded the last certificates. /etc/postfix/main.cf point to certificates through symbolic links which means they stay up to date, I reloaded the service but, even if imap and http certificates are ok, thunderbird sendings (smtp) have issues. The error is about expired certificates. Postfix seems like still using the one from the backup. I changed the certificates path (to avoid symlink and try enforce the use of newest certificates without effect. (/etc/postfix/main.cf and /etc/postfix/sni files)

postfix[480690]: Postfix is running with backwards-compatible default settings            
postfix[480690]: See http://www.postfix.org/COMPATIBILITY_README.html for details                             
postfix[480690]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"     
postfix/postfix-script[480753]: warning: symlink leaves directory: /etc/postfix/./makedefs.out                                              
postfix/postfix-script[480778]: warning: /var/spool/postfix/etc/ssl/certs/ca-yunohost_crt.pem and /etc/ssl/certs/ca-yunohost_crt.pem differ 
postfix/postfix-script[480872]: warning: /var/spool/postfix/etc/ssl/certs/yunohost_crt.pem and /etc/ssl/certs/yunohost_crt.pem differ 
postfix/postfix-script[480927]: starting the Postfix mail system                    
postfix/master[480929]: daemon started -- version 3.5.6, configuration /etc/postfix                                                              
postfix/submission/smtpd[480981]: connect from XXX                    
postfix/submission/smtpd[480981]: SSL_accept error from XXX: -1       
postfix/submission/smtpd[480981]: warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1543:SSL alert number 45:
postfix/submission/smtpd[480981]: lost connection after STARTTLS from XXX

Here relevant postfix warnings from /var/log/mail.log, startup & connection SSL error.

mbro · April 24, 2022, 5:05pm

I’m not an expert on this, but just before the error it says:

postfix/postfix-script[480778]: warning: /var/spool/postfix/etc/ssl/certs/ca-yunohost_crt.pem and /etc/ssl/certs/ca-yunohost_crt.pem differ

So try copying the one to postfix and see what happens?

Christophe31 · April 24, 2022, 7:45pm

I don’t know how yunohost config regeneration did it but it fixed.
sudo yunohost tools regen-conf postfix --force
As let’s encrypt has short life duration, I hope I won’t need to relaunch.

thx for response by the way.

EDIT (after thread closed): I needed to relaunch after next certificate release.

system · May 24, 2022, 7:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.