Score:0

alert certificate expired:../ssl/record/rec_layer_s3.c:1543:SSL alert number 45 when sending mails from the same server that hosts postfix

vg flag

So, I have setup an smtp server using smtp in a Debian 11 machine. It works perfect when sending emails from my phone and my computer, but it does not work when trying to send emails from the same host machine. The error I get when tailing /var/log/mail.log is

Aug 11 13:15:45 mail postfix/smtps/smtpd[2740]: SSL_accept error from mail.example.net[2a02:c207:2041:2547::1]: -1
Aug 11 13:15:45 mail postfix/smtps/smtpd[2740]: warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1543:SSL alert number 45:
Aug 11 13:15:45 mail postfix/smtps/smtpd[2740]: lost connection after CONNECT from mail.example.net[2a02:c207:2041:2547::1]
Aug 11 13:15:45 mail postfix/smtps/smtpd[2740]: disconnect from mail.example.net[2a02:c207:2041:2547::1] commands=0/0

This is the part of main.cf that relates to ssl configuration.

# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_security_level=may
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache


smtp_tls_security_level=may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

I tried using Thunderbird to send the message from another device and it did work. This rules out the possibility of the certificate being expired as the error message suggests. Any help would be appreciated.

Score:1
vg flag

So I figured out the issue. The certificate was indeed not expired, however, postfix was using an old certificate. Instead of using the certificate stored in /etc/postfix/main.cf it was using the one stored in /etc/postfix/sni_maps.db. To fix it, I replaced the contents of the file /etc/postfix/sni_maps with the following contents:

mail.example.com   /etc/letsencrypt/live/new.key/privkey.pem    /etc/letsencrypt/live/new.key/fullchain.pem

And then ran the command postmap -F hash:/etc/postfix/sni_maps.

That allowed postfix to use the new certificate and fixed my issue.

jp flag
Omitting the `tls_server_sni_maps` in your question made this impossible to answer.
Score:1
cn flag

warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:

Have you checked the certificates mentioned here?

/etc/letsencrypt/live/mail.example.com/fullchain.pem

Since you are using LetsEncrypt, perhaps all you need to do is certbot renew

Gottfried Rosenberger avatar
vg flag
I did try renewing it, I generated it today so it didn't do anything. I did notice that postfix is returning the old certificate which is expired. When I use `openssl s_client -starttls smtp -connect mail.example.com:587` it returns the old certificate even though the config has the updated certificate and the old one is deleted.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.