Hello, I arrive to this community (I didnt know about it), from github where I reported a bug but I got notified that is not a bug but something wrong within the configuration. Maybe here someone can help me?
Bug description
I cant send emails from nextcloud from mail app. Test email doesnt work either.
In the Nextcloud server cloud.mydomain
The error when I click “Send email” in email server: A problem occurred while sending the email. Please revise your settings. (Error: Connection could not be established with host mail.mydomain.com :stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed)
Everything else in Nextcloud works besides email service.
The error is present since the fresh install of Nextcloud 22.1.1. but I didnt have the time to find a solution.
In the email server mail.mydomain
I get the following log in Postfix:
warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:…/ssl/record/rec_layer_s3.c:1544:SSL alert number 48:
Steps to reproduce
Send mode SMTP; Encrypthon SSL/TLS; Authentication method “Login”; Authentication required. Set the other email address and credentials information.
Mail.mydomain.com is a different server running mailcow mailserver. There is a third server with a CRM service that can send and receive emails through mail.mydomain.com with SMPT mode.
Nextcloud is only service in cloud.mydomain server with FQDN “server2.mydomain” and IP 123.123.123.1
Nextcloud server is running behind apache and signed with Letsencrypt certificates
Nextcloud server is running behind Cloudflare service with proxied DNS
Enviroment: manual install in Ubuntu server 20.04 LTS
UPDATE: Add Email Port also, I suppose it is different from 443.
Its getting more interesting. Do you have ssh access to your nextcloud server? Try to check with curl from the nextcloud machine what is happening there. E.g.:
curl -v https://mail.mydomain.com:465
Do you see Ciphers and Valid Certificate? If connection is dropped because of certificate error, add -k key to ignore Certificate and see output.
Example for google:
You can try to “force” curl to use some protocols, or even ciphers, e.g.:
curl -v --tlsv1.3 --tls-max 1.3 https://..
# or for 1.0 if supported by curl for you
curl -v --tlsv1.0 --tls-max 1.0 https://..
As alternative you can use this script from the Nextcloud Server to see Ciphers. But this will even not test TLS 1.0 / SSL 3.0, because it is out of support and usually you have to compile your own OpenSSL with this support.
You don’t want to test the https:// interface of your web server but the MTA - which is bound to SMTP SSL/TLS port and best tested using openssl s_client -connect mailserver.domain:465 or if you want to test specific TLS version:
* Trying 222.222.222.2:465...
* TCP_NODELAY set
* Connected to mail.tarsoman.com (222.222.222.2) port 465 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=DE; ST=NRW; L=Willich; O=mailcow; OU=mailcow; CN=mail.mydomain.com
* start date: Sep 19 09:01:37 2021 GMT
* expire date: Sep 19 09:01:37 2022 GMT
* issuer: C=DE; ST=NRW; L=Willich; O=mailcow; OU=mailcow; CN=mail.mydomain.com
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: mail.mydomain.com:465
> User-Agent: curl/7.68.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Received HTTP/0.9 when not allowed
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (1) Received HTTP/0.9 when not allowed
Meanwhile in the mailserver, the log showed:
Anonymous TLS connection established from unknown[123.123.123.1]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
warning: non-SMTP command from unknown[123.123.123.1]: GET / HTTP/1.1
My opinion is that the mailserver log is normal but the interesting thing is that if I use curl -v https://mail.mydomain.com:465 (without -k) then the log from the mail server outputs:
most likely Nextcloud mail client stops here. There is no good way to make server software trust self-signed certificates (neither if you have more than just few clients) - I would recommend you to issue valid public TLS certificate for your mail server.
In this server, as well as in other servers, I am using Letsencrypt cerbot certificates, isnt that good enough?
Other server, different from Nextcloud, lets call it crm.mydomain.com uses the same mail.mydomain.com mail server to send emails through SMTP. Its certificate is also signed with Letsencrypt cerbot certificate and it can send emails withouth issues.
I am sorry, maybe its too many hours in front of this issue without success but my just exploded and Im going to ask something that doesn’t make sense. How can it be self-signed if it is issued by letsencrypt?
He is from ssllabs report of the mail server:
Valid from
Fri, 28 Jan 2022 22:47:53 UTC
Valid until
Thu, 28 Apr 2022 22:47:52 UTC (expires in 2 months)
If I check manually the locker on the browser search tab, everything seems fine and it also says that its R3 certificate issued by Letsencrypt
In ssllabs report I found something that I didn’t understand in “certification paths” the last line says this:
In trust store
DST Root CA X3 Self-signed
Fingerprint SHA256: 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739
Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=
RSA 2048 bits (e 65537) / SHA1withRSA
Valid until: Thu, 30 Sep 2021 14:01:15 UTC
EXPIRED
Weak or insecure signature, but no impact on root certificate
I have no idea what is this or how to find it within the server. I know this is not related to Nextcloud but do you have any hint about it?
the cert we are talking about is not issued by letsencrypt:
the tests you do with browser and ssllabs check the web interface of your mail server but not the SMTP receive interface (which you check with curl/openssl command above with port :465). Please check the docs from mailcow how tho configure SMTP server certificate or send mails from Nextcloud without TLS (if both are in same networks it’s secure enough)…