postfix/dovecot/openssl - bad UTF-8 syntax
by skubik from LinuxQuestions.org on (#5CAD4)
Hi everyone,
I've been putting together a personal email server using postfix & dovecot using postgresql for a database with virtual domains & users.
It's been 'running' ok but I've been encountering a problem with TLS connections using anything besides Thunderbird (I can receive and send email using an internal domain), but I've had problems connecting using roundcube or the Thunderbird Sieve plugin; it all seemed to point to a problem with TLS authentication and thought it was my certificates (self-signed, generated on another machine).
I eventually got to the point of testing the certificates with openssl to ensure that they themselves were not corrupt, and everything seems to be ok there.
So I figure the problem must be with how they're configured in postfix & dovecot. I began testing the connection with openssl tools and noticed some 'syntax error' stuff in the debug output.
Specifically, by using this command:
Code:openssl s_client -servername mail.internal.domain -connect mail.internal.domain:587 -msg -debug...I got this in the debug output:
Code:>>> TLS 1.3, Handshake [length 0138], ClientHello
01 00 01 34 03 03 cd 7d 68 8f 7d 15 b9 16 a3 23
66 76 90 e4 9c 0f 4d 6b 4c 38 be 82 19 4e 70 ca
82 58 60 93 31 a1 20 a3 5b 75 40 a1 d2 c7 1b c0
13 31 dd 1f f9 ec e9 8b d2 2f de dd de 1e 06 5e
2e 1c d3 bb 9b 07 51 00 3e 13 02 13 03 13 01 c0
2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00
9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0
14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00
3c 00 35 00 2f 00 ff 01 00 00 ad 00 00 00 1e 00
1c 00 00 19 75 68 75 72 61 2e 77 68 69 74 65 66
6c 61 6d 65 2e 6b 75 62 65 2e 76 70 6e 00 0b 00
04 03 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00
1e 00 19 00 18 00 23 00 00 00 16 00 00 00 17 00
00 00 0d 00 2a 00 28 04 03 05 03 06 03 08 07 08
08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01 05
01 06 01 03 03 03 01 03 02 04 02 05 02 06 02 00
2b 00 05 04 03 04 03 03 00 2d 00 02 01 01 00 33
00 26 00 24 00 1d 00 20 5a 49 cf 54 5d 46 34 28
1995989008:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
65 28 fd 6d ca a1 d6 95 77 f6 7e 97 54 db 96 73
f0 66 fe e3 2c fb be 6a
...<snip>...
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 317 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
...<snip>...
0000 - 35 30 30 20 35 2e 35 2e-32 20 45 72 72 6f 72 3a 500 5.5.2 Error:
0010 - 20 62 61 64 20 55 54 46-2d 38 20 73 79 6e 74 61 bad UTF-8 synta
0020 - 78 0d 0a 35 30 30 20 35-2e 35 2e 32 20 45 72 72 x..500 5.5.2 Err
0030 - 6f 72 3a 20 62 61 64 20-55 54 46 2d 38 20 73 79 or: bad UTF-8 sy
0040 - 6e 74 61 78 0d 0a 35 30-30 20 35 2e 35 2e 32 20 ntax..500 5.5.2
0050 - 45 72 72 6f 72 3a 20 62-61 64 20 73 79 6e 74 61 Error: bad synta
0060 - 78 0d 0a 35 30 30 20 35-2e 35 2e 32 20 45 72 72 x..500 5.5.2 Err
0070 - 6f 72 3a 20 62 61 64 20-73 79 6e 74 61 78 0d 0a or: bad syntax..This was connecting to IMAP on port 587 via dovecot.
I adjusted some debug settings for postfix and ran a similar command on postfix on port 143
Code:openssl s_client -servername mail.internal.domain -connect mail.internal.domain:143 -msg -debug...and got the following in my postfix logs:
Code:Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: > mail.internal.domain[10.8.0.32]: 220 mail.internal.domain ESMTP Postfix (Raspbian)
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: < mail.internal.domain10.8.0.32]: ????8?
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: > mail.internal.domain[10.8.0.32]: 500 5.5.2 Error: bad UTF-8 syntax
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: < mail.internal.domain[10.8.0.32]: ????{??8???$??<E0><A6><F9><9C><85><97>???
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: > mail.internal.domain[10.8.0.32]: 500 5.5.2 Error: bad UTF-8 syntax
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: < mail.internal.domain[10.8.0.32]: ??
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: > mail.internal.domain[10.8.0.32]: 500 5.5.2 Error: bad UTF-8 syntax
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: < mail.internal.domain[10.8.0.32]:
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: > mail.internal.domain[10.8.0.32]: 500 5.5.2 Error: bad syntax
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: < mail.internal.domain[10.8.0.32]:
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: > mail.internal.domain[10.8.0.32]: 500 5.5.2 Error: bad syntax
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: smtp_get: EOF
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: match_hostname: smtpd_client_event_limit_exceptions: mail.internal.domain ~? 127.0.0.0/8
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: match_hostaddr: smtpd_client_event_limit_exceptions: 10.8.0.32 ~? 127.0.0.0/8
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: match_hostname: smtpd_client_event_limit_exceptions: mail.internal.domain ~? 10.8.0.0/24
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: match_hostaddr: smtpd_client_event_limit_exceptions: 10.8.0.32 ~? 10.8.0.0/24
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: lost connection after CONNECT from mail.internal.domain[10.8.0.32]
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: disconnect from mail.internal.domain[10.8.0.32] commands=0/0
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: master_notify: status 1
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: connection closed(EDIT: I'm running these openssl commands on the same machine postfix/dovecot are running on; I'm using mail.internal.domain instead of localhost)
I have no clue where those characters are coming from that are triggering the syntax errors, nor do I understand the 'wrong version number' in the TLS handshake output. Is it possible there's something wrong with my locale/UTF-8 configuration that's contributing to this?
Can someone offer some suggestions or point me in the right direction?
Much appreciated!
Happy New Year!
I've been putting together a personal email server using postfix & dovecot using postgresql for a database with virtual domains & users.
It's been 'running' ok but I've been encountering a problem with TLS connections using anything besides Thunderbird (I can receive and send email using an internal domain), but I've had problems connecting using roundcube or the Thunderbird Sieve plugin; it all seemed to point to a problem with TLS authentication and thought it was my certificates (self-signed, generated on another machine).
I eventually got to the point of testing the certificates with openssl to ensure that they themselves were not corrupt, and everything seems to be ok there.
So I figure the problem must be with how they're configured in postfix & dovecot. I began testing the connection with openssl tools and noticed some 'syntax error' stuff in the debug output.
Specifically, by using this command:
Code:openssl s_client -servername mail.internal.domain -connect mail.internal.domain:587 -msg -debug...I got this in the debug output:
Code:>>> TLS 1.3, Handshake [length 0138], ClientHello
01 00 01 34 03 03 cd 7d 68 8f 7d 15 b9 16 a3 23
66 76 90 e4 9c 0f 4d 6b 4c 38 be 82 19 4e 70 ca
82 58 60 93 31 a1 20 a3 5b 75 40 a1 d2 c7 1b c0
13 31 dd 1f f9 ec e9 8b d2 2f de dd de 1e 06 5e
2e 1c d3 bb 9b 07 51 00 3e 13 02 13 03 13 01 c0
2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00
9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0
14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00
3c 00 35 00 2f 00 ff 01 00 00 ad 00 00 00 1e 00
1c 00 00 19 75 68 75 72 61 2e 77 68 69 74 65 66
6c 61 6d 65 2e 6b 75 62 65 2e 76 70 6e 00 0b 00
04 03 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00
1e 00 19 00 18 00 23 00 00 00 16 00 00 00 17 00
00 00 0d 00 2a 00 28 04 03 05 03 06 03 08 07 08
08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01 05
01 06 01 03 03 03 01 03 02 04 02 05 02 06 02 00
2b 00 05 04 03 04 03 03 00 2d 00 02 01 01 00 33
00 26 00 24 00 1d 00 20 5a 49 cf 54 5d 46 34 28
1995989008:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
65 28 fd 6d ca a1 d6 95 77 f6 7e 97 54 db 96 73
f0 66 fe e3 2c fb be 6a
...<snip>...
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 317 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
...<snip>...
0000 - 35 30 30 20 35 2e 35 2e-32 20 45 72 72 6f 72 3a 500 5.5.2 Error:
0010 - 20 62 61 64 20 55 54 46-2d 38 20 73 79 6e 74 61 bad UTF-8 synta
0020 - 78 0d 0a 35 30 30 20 35-2e 35 2e 32 20 45 72 72 x..500 5.5.2 Err
0030 - 6f 72 3a 20 62 61 64 20-55 54 46 2d 38 20 73 79 or: bad UTF-8 sy
0040 - 6e 74 61 78 0d 0a 35 30-30 20 35 2e 35 2e 32 20 ntax..500 5.5.2
0050 - 45 72 72 6f 72 3a 20 62-61 64 20 73 79 6e 74 61 Error: bad synta
0060 - 78 0d 0a 35 30 30 20 35-2e 35 2e 32 20 45 72 72 x..500 5.5.2 Err
0070 - 6f 72 3a 20 62 61 64 20-73 79 6e 74 61 78 0d 0a or: bad syntax..This was connecting to IMAP on port 587 via dovecot.
I adjusted some debug settings for postfix and ran a similar command on postfix on port 143
Code:openssl s_client -servername mail.internal.domain -connect mail.internal.domain:143 -msg -debug...and got the following in my postfix logs:
Code:Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: > mail.internal.domain[10.8.0.32]: 220 mail.internal.domain ESMTP Postfix (Raspbian)
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: < mail.internal.domain10.8.0.32]: ????8?
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: > mail.internal.domain[10.8.0.32]: 500 5.5.2 Error: bad UTF-8 syntax
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: < mail.internal.domain[10.8.0.32]: ????{??8???$??<E0><A6><F9><9C><85><97>???
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: > mail.internal.domain[10.8.0.32]: 500 5.5.2 Error: bad UTF-8 syntax
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: < mail.internal.domain[10.8.0.32]: ??
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: > mail.internal.domain[10.8.0.32]: 500 5.5.2 Error: bad UTF-8 syntax
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: < mail.internal.domain[10.8.0.32]:
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: > mail.internal.domain[10.8.0.32]: 500 5.5.2 Error: bad syntax
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: < mail.internal.domain[10.8.0.32]:
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: > mail.internal.domain[10.8.0.32]: 500 5.5.2 Error: bad syntax
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: smtp_get: EOF
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: match_hostname: smtpd_client_event_limit_exceptions: mail.internal.domain ~? 127.0.0.0/8
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: match_hostaddr: smtpd_client_event_limit_exceptions: 10.8.0.32 ~? 127.0.0.0/8
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: match_hostname: smtpd_client_event_limit_exceptions: mail.internal.domain ~? 10.8.0.0/24
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: match_hostaddr: smtpd_client_event_limit_exceptions: 10.8.0.32 ~? 10.8.0.0/24
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: lost connection after CONNECT from mail.internal.domain[10.8.0.32]
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: disconnect from mail.internal.domain[10.8.0.32] commands=0/0
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: master_notify: status 1
Jan 01 21:10:03 mail postfix/submission/smtpd[5348]: connection closed(EDIT: I'm running these openssl commands on the same machine postfix/dovecot are running on; I'm using mail.internal.domain instead of localhost)
I have no clue where those characters are coming from that are triggering the syntax errors, nor do I understand the 'wrong version number' in the TLS handshake output. Is it possible there's something wrong with my locale/UTF-8 configuration that's contributing to this?
Can someone offer some suggestions or point me in the right direction?
Much appreciated!
Happy New Year!