• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

V15.5 SP6 - MailKit cannot connect to my postfix SMTP server

Status
Not open for further replies.

Elliot Cater

Customer
Joined
Aug 29, 2017
Messages
20
Reaction score
4
Since upgrading to SP6 I'm having trouble with connecting to my Postfix SMTP server in the email settings.

My Postfix server is hosted on the same subnet as 3CX and is set to only allow SSL/TLS. I use letsencrypt for SSL and the certificates are verified as valid.

This SMTP server is functioning correctly for approximately 100 users with varying email clients (Thunderbird, iOS, Apple Mail, Android etc...) but for some reason the MailKit based client 3cx uses gives me this error message when I hit the TEST button:

An error occurred while attempting to establish an SSL or TLS connection. The SSL certificate presented by the server is not trusted by the system for one or more of the following reasons: 1. The server is using a self-signed certificate which cannot be verified. 2. The local system is missing a Root or Intermediate certificate needed to verify the server's certificate. 3. The certificate presented by the server is expired or invalid. See https://github.com/jstedfast/MailKit/blob/master/FAQ.md#InvalidSslCertificate for possible solutions.

As I mentioned before, the SMTP server's certificates are definitely valid (1&3 from the error message), Postfix is configured correctly and there is no firewall/content filter etc causing trouble between the 3cx or the Postfix server (both running Debian).

I've tried updating the CA/Root certificates on 3cx's Debian using update-ca-certificates (2).

My reseller is completely stumped and now so am I. I even installed a fresh Postfix instance onto the 3cx server itself and that did the same thing.

Is there some log files I can look at that might shed some light?

Thanks
 
Just out of interest I disabled the requirement for SSL/TLS on my Postfix SMTP server and 3cx can now connect to it with the Use SSL box unchecked. Sub optimal but at least it's working.

So why does MailKit hate my letsencrypt certificates?

DNS is set up correctly, the hostname of the machine is correct, Certbot updates successfully and the certificates are valid. What else could be going on? Even with the 3cx log verbosity set to 6 I'm getting nothing when I click the "TEST" button.

MailKit comes with an advanced debugging facility but I'm guessing I can't turn that on...
 
I think it is not just the CRT but on the postfix the Root CA (in this case the X3 of lets encrypt) which should be presented. Or if you inspect the server helo and ssl handshark, maybe the cert is imported but not presented with a matching name?
 
Postfix does have the bundle through the smtpd_tls_CAfile property and checkTLS site shows 100% confidence with all 3 certificates in the chain valid.

I've also tried this with another SMTP server install (also postfix), same result.

Very odd - I wonder if anyone else is getting this problem?
 
Maybe mailkit has hardcoded ciphers which are not supported by your Postfix configuration and thus dropping the connection on negotiation. Why don't you check a wireshark capture? It should shed light..

I would:

a) lower the requirements of ciphersuites and TLS version on postfix to accept insecure ones to see if that works

b) can you confirm that 3CX is actually rejecting your sever's cert and not any firewall's inbetween?

c) might sound stupid but can you confirm you are not using an IP instead of a hostname in the settings of 3CX?
 
My Postfix server is only set to exclude RC4 and aNULL although the accepted protocols are "!SSLv2,!SSLv3"

A quick capture with tcpdump on port 587 sees MailKit's TLSv1.2 handshake with Postfix seemingly successful. Postfix confirms it can use the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) cipher, which is the first of the ciphers provided by the MailKit client.

The server and client do a Key Exchange with Change Cipher Spec message and then after that the client sends an ACK and straight away a FIN ACK. So the MailKit client is terminating the session with no reason given to the server.

Postfix then obviously complains "lost connection after STARTTLS" and "disconnect from phone.foo.bar[10.0.0.X] ehlo=1 starttls=1 commands=2".

There are no firewalls in between 3cx and Postfix, or none that would cause any issue. 3cx is definitely using the FQDN and PTR and DNS are correct.

If only the logging verbosity switch (0-6) would also switch on the IPProtocolLogger as per the MailKit docs: http://www.mimekit.net/docs/html/T_MailKit_IProtocolLogger.htm. I might then be able to actually shed some light on this.

I'm about ready to ask for this to be reported as a bug as I've tried it on 3 different postfix set ups now and it's not working.
 
Same problem here. No way to use our postfix server since we are using Letsencrypt certificates. It was working well with previous certificate (from Gandi.fr), but the one provided by letsencrypt is rejected by MailKit.

I've checked with checkTLS site and all is perfect.

Sadly, using a no-SSL connection is not a solution for us. Did you find a way to make it working ?
 
Yes the 3cx solution is to not use LE SSL certs or just use their SMTP :D

I logged the bug with my reseller when I found it and 3cx in their immutable style are filing the bug report in /dev/null because they've had my money and don't care.

My support has actually run out as of today and to be honest I'm having a hard time wondering, if I renewed, what my hard earned money would go on. Because it sure as hell isn't fixing bugs and implementing highly requested features like an ordering system for BLF's.

3cx if you're listening and care - sort this out and you might squeeze another few hundred quid out of me this year.:mad:
 
Hah. Pretty sure this request would be behind the O365/SP6 issue which isn't even acknowledge as a bug. Your issue represents a very small minority of the 3CX user base so I imagine it will never get resolved unless it's an issue with MailKit and 3CX upgrades MailKit at some point.

Good luck!
 
That has just cemented what I was thinking. It's definitely time to move on and find software with proper support.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,629
Messages
748,929
Members
144,741
Latest member
Boykins_54
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.