Welcome to Centmin Mod Community
Become a Member

Email OpenSSL issue while sending mail

Discussion in 'Domains, DNS, Email & SSL Certificates' started by mcmlexe, Jan 28, 2020.

  1. mcmlexe

    mcmlexe New Member

    4
    1
    3
    Nov 3, 2018
    Ratings:
    +1
    Local Time:
    1:43 PM
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.17.8
    • PHP Version Installed: 7.3.
    • When was last time updated Centmin Mod code base ? : today
    • Persistent Config:
      Code (Text):
      CLANG='n'
      DEVTOOLSETSEVEN='y'
      NGINX_DEVTOOLSETGCC='y'
      NGINX_HPACK='y'
      CLOUDFLARE_ZLIB='y'
      MARCH_TARGETNATIVE='n'
      LIBRESSL_SWITCH='n'
      LETSENCRYPT_DETECT='y'
      PHPFINFO='y'
      

    Hello,
    I have a problem while sending the test email. I have another server running same setup which works fine.
    Anybody can help me to fix the problem.

    Some outputs for debug:

    Code (Text):
    echo QUIT | openssl s_client -crlf -starttls smtp -connect smtp.gmail.com:587 
    socket: Bad file descriptor
    connect:errno=9
    



    Code (Text):
    rpm -ql ca-certificates
    /etc/pki/ca-trust
    /etc/pki/ca-trust/README
    /etc/pki/ca-trust/ca-legacy.conf
    /etc/pki/ca-trust/extracted
    /etc/pki/ca-trust/extracted/README
    /etc/pki/ca-trust/extracted/java
    /etc/pki/ca-trust/extracted/java/README
    /etc/pki/ca-trust/extracted/java/cacerts
    /etc/pki/ca-trust/extracted/openssl
    /etc/pki/ca-trust/extracted/openssl/README
    /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    /etc/pki/ca-trust/extracted/pem
    /etc/pki/ca-trust/extracted/pem/README
    /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
    /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
    /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    /etc/pki/ca-trust/source
    /etc/pki/ca-trust/source/README
    /etc/pki/ca-trust/source/anchors
    /etc/pki/ca-trust/source/blacklist
    /etc/pki/ca-trust/source/ca-bundle.legacy.crt
    /etc/pki/java
    /etc/pki/java/cacerts
    /etc/pki/tls
    /etc/pki/tls/cert.pem
    /etc/pki/tls/certs
    /etc/pki/tls/certs/ca-bundle.crt
    /etc/pki/tls/certs/ca-bundle.trust.crt
    /etc/ssl
    /etc/ssl/certs
    /usr/bin/ca-legacy
    /usr/bin/update-ca-trust
    /usr/share/doc/ca-certificates-2019.2.32/README
    /usr/share/man/man8/ca-legacy.8.gz
    /usr/share/man/man8/update-ca-trust.8.gz
    /usr/share/pki
    /usr/share/pki/ca-trust-legacy
    /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
    /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
    /usr/share/pki/ca-trust-source
    /usr/share/pki/ca-trust-source/README
    /usr/share/pki/ca-trust-source/anchors
    /usr/share/pki/ca-trust-source/blacklist
    /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
    

    Code (Text):
    egrep '^TCP_|^TCP6_|^UDP_|^UDP6_' /etc/csf/csf.conf
    TCP_IN = "20,21,22,25,53,80,110,143,161,443,465,587,993,995,1110,1186,1194,81,9418,30001:50011"
    TCP_OUT = "8080,2525,465,1110,1194,9418,20,21,22,25,53,80,110,113,443,587,993,995"
    UDP_IN = "67,68,1110,33434:33534,20,21,53"
    UDP_OUT = "67,68,1110,33434:33534,20,21,53,113,123"
    TCP6_IN = "20,21,22,25,53,80,110,143,161,443,465,587,993,995,1110,1186,1194,81,9418,30001:50011"
    TCP6_OUT = "8080,2525,465,20,21,22,25,53,80,110,113,443,587,993,995"
    UDP6_IN = "20,21,53"
    UDP6_OUT = "20,21,53,113,123"
    

     
  2. eva2000

    eva2000 Administrator Staff Member

    43,132
    9,792
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,122
    Local Time:
    8:43 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    what about output for
    Code (Text):
    echo QUIT | openssl s_client -crlf -starttls smtp -CAfile /etc/ssl/certs/cacert.pem -connect smtp.gmail.com:587
    

    and verify if it isn't a gmail only issue
    Code (Text):
    echo QUIT | openssl s_client -crlf -starttls smtp -CAfile /etc/ssl/certs/cacert.pem -connect smtp.yandex.com:587
    

    tried testing with telnet ?
    Code (Text):
    yum -y install telnet
    # enter quit to exit from telnet
    # test ipv4
    telnet -4 smtp.gmail.com 587
    telnet -6 smtp.gmail.com 587
    

    what output do you get for telnet command

    ensure CSF Firewall is running which whitelists output port 587 for TCP ipv4 and TCP6 ipv6
    Code (Text):
    csf -u
    systemctl status lfd csf

    ensure postfix is running
    Code (Text):
    systemctl status postfix

    any yum updates ?
    Code (Text):
    yum list updates

    if there are some related o ca-certificates, nss or kernel, then update and reboot server

    and obvious thing is which web host you using ? ask their support if TCP outbound mail on port 587 and 465 are blocked at web host level and if request it to be unblocked at the host level if required. Some web hosts block by default until you provide id verification and request unblocking to prevent spam.
     
  3. mcmlexe

    mcmlexe New Member

    4
    1
    3
    Nov 3, 2018
    Ratings:
    +1
    Local Time:
    1:43 PM
    Thanks for reply. I'm using Linode. As you said, there was blocked at web host level to help combat spam.

    Code (Text):
    echo QUIT | openssl s_client -crlf -starttls smtp -CAfile /etc/ssl/certs/cacert.pem -connect smtp.gmail.com:587
    socket: Bad file descriptor
    connect:errno=9


    Code (Text):
    echo QUIT | openssl s_client -crlf -starttls smtp -CAfile /etc/ssl/certs/cacert.pem -connect smtp.yandex.com:587
    socket: Bad file descriptor
    connect:errno=9


    Code (Text):
    telnet -4 smtp.gmail.com 587
    Trying 74.125.71.108...
    telnet: connect to address 74.125.71.108: Connection timed out
    
    telnet -6 smtp.gmail.com 587
    Trying 2a00:1450:400c:c02::6c...
    telnet: connect to address 2a00:1450:400c:c02::6c: Connection timed out


    Code (Text):
    csf -u
    csf is already at the latest version: v14.01
    
    systemctl status lfd csf
    ● lfd.service - ConfigServer Firewall & Security - lfd
       Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: disabled)
       Active: active (running) since Tue 2020-01-28 00:00:03 UTC; 2h 9min ago
      Process: 36335 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
     Main PID: 36348 (lfd - sleeping)
       CGroup: /system.slice/lfd.service
               └─36348 lfd - sleeping
    


    Code (Text):
    systemctl status postfix
    ● postfix.service - Postfix Mail Transport Agent
       Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
       Active: active (running) since Mon 2020-01-27 15:41:32 UTC; 10h ago
     Main PID: 1470 (master)
       CGroup: /system.slice/postfix.service
               ├─ 1470 /usr/libexec/postfix/master -w
               ├─ 1474 qmgr -l -t unix -u
               ├─ 1706 tlsmgr -l -t unix -u
               ├─42253 pickup -l -t unix -u
               ├─44554 trivial-rewrite -n rewrite -t unix -u
               ├─44555 smtp -t unix -u
               ├─44556 smtp -t unix -u
               ├─44557 smtp -t unix -u
               ├─44558 smtp -t unix -u
               └─44559 smtp -t unix -u
    
    

    Code (Text):
    yum list updates
    Loaded plugins: priorities, versionlock
    363 packages excluded due to repository priority protections
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    43,132
    9,792
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,122
    Local Time:
    8:43 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Ah Linode, so you got it unblocked ?

    https://www.linode.com/docs/email/running-a-mail-server/#sending-email-on-linode

     
    • Like Like x 1
  5. eva2000

    eva2000 Administrator Staff Member

    43,132
    9,792
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,122
    Local Time:
    8:43 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    CAN-SPAM compliance can be problematic especially for 4th requirement requiring your postal address be shared with folks you send email to ! Didn't know Linode changed their outbound email policy !

    There's a fine of US$43,280 per violation !
     
  6. mcmlexe

    mcmlexe New Member

    4
    1
    3
    Nov 3, 2018
    Ratings:
    +1
    Local Time:
    1:43 PM
    They unblocked the emails port as soon as I opened the support ticket. Problem solved :) Thanks again
     
    • Like Like x 1
  7. eva2000

    eva2000 Administrator Staff Member

    43,132
    9,792
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,122
    Local Time:
    8:43 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Good to know :)