Cryptography Error in PSRP

[raf-rodrigues]

I have a problem with emails sent by Postal an error appears unencrypted.

I wanted to know how to proceed.

No gmail information that is sent via email via prsp.domain.com

But I will configure letsencrypt in the file

/opt/postal/config/postal.yml

smtp_server: tls_enabled: true tls_certificate_path: /etc/letsencrypt/live/mail.domain.com/fullchai$ tls_private_key_path: /etc/letsencrypt/live/mail.domain.com/privkey.$ tls_ciphers: TLSv1_1 ssl_version: TLSv1_1
But this message appears

https://ibb.co/MGC99JS

How to do psrp encryption?

[willpower232]

Have you restarted Postal since setting the config?

[raf-rodrigues]

Yes, I also reset the server and reactivated the Postal. He still says that domain.com did not encrypt this message.

[inspiretk]

You gave postal permission to the lets encrypt?

chown -R postal:postal /etc/letsencrypt

[raf-rodrigues]

Hello, yes I gave permission for the certificate.

But the problem still remains

[raf-rodrigues]

Would the Letsencrypt certificate I need be a wildcard?

[willpower232]

That shouldn't be relevant. It sounds like you have everything you need.

How are you sending the message to your gmail?

[raf-rodrigues]

I’m sending it directly from the Postal panel,

[inspiretk]

/etc/letsencrypt/live/mail.domain.com/fullchai$ tls_private_key_path: /etc/letsencrypt/live/mail.domain.com/privkey.$ tls_ciphers: TLSv1_1 ssl_version: TLSv1_1

mail.domain.com - you need to change this to your domain name. Also, I dont have the other stuff you got "fullchai$ tls_private_key_path: " and "privkey.$ tls_ciphers: TLSv1_1 ssl_version: TLSv1_1"

I have

    tls_certificate_path: /etc/letsencrypt/live/mail.yourDomainName.com/fullchain.pem
    tls_private_key_path: /etc/letsencrypt/live/mail.yourDomainName.com/privkey.pem

I have this below for mine,

smtp_server:
    port: 25
    tls_enabled: true
    tls_certificate_path: /etc/letsencrypt/live/mail.yourDomainName.com/fullchain.pem
    tls_private_key_path: /etc/letsencrypt/live/mail.yourDomainName.com/privkey.pem
    proxy_protocol: false
    log_connect: true
    strip_received_headers: false

Make sure you restart postal when you update your config file: Command is:

postal stop
nano /opt/postal/config/postal.yml # change your config file and save it
postal initialize
postal start

[willpower232]

Are you using the certificate for the main UI as well? Does it work fully there?

Also do not run postal initialize if you aren't installing, it can erase your database.

[raf-rodrigues]

Yes is working normally in the interface (Nginx)

But when sending a message
The error that appears in GMAIL is that the domain did not encrypt the email.

Do you have any configuration you have to do for the domain?

[willpower232]

No there shouldn't be any other configuration required. You could try using ssllabs.com to verify the certificate is fully valid for the interface.

[dragoangel]

I want to add: changing of owner at /etc/letsencrypt isn't nice at all - this way to get issues later.
Issue your cert with deploy-hook, f.e:

sudo cat <<\EOF > /etc/letsencrypt/renewal-hooks/deploy/postal.sh
#!/bin/sh
set -e
for domain in $RENEWED_DOMAINS; do
    DAEMON_CERT_ROOT=/opt/postal/config
    mkdir -p "$DAEMON_CERT_ROOT"
    chown postal:postal "$DAEMON_CERT_ROOT"
    cp "$RENEWED_LINEAGE/fullchain.pem" "$DAEMON_CERT_ROOT/smtp.cert"
    cp "$RENEWED_LINEAGE/privkey.pem" "$DAEMON_CERT_ROOT/smtp.key"
    chown postal:postal "$DAEMON_CERT_ROOT/*.cert"
    chown postal:postal "$DAEMON_CERT_ROOT/*.key"
    chown postal:postal "$DAEMON_CERT_ROOT/*.pem"
    chmod 644 "$DAEMON_CERT_ROOT/*.cert"
    chmod 400 "$DAEMON_CERT_ROOT/*.key"
    chmod 400 "$DAEMON_CERT_ROOT/*.pem"
done
EOF
chmod +x /etc/letsencrypt/renewal-hooks/deploy/postal.sh

and then:
sudo certbot --nginx -d YOURDOMAIN -d YOURDOMAIN2 -d ETC --deploy-hook=/etc/letsencrypt/renewal-hooks/deploy/postal.sh

I have some Q to @willpower232:

1. is Postal will get new certificates only after restart or at runtime? Full restart is bad practice. Maybe there is posible FR to add SSL certs reload action? =)
2. can you please give a link where docs|description located for tls_ciphers, ssl_version, proxy_protocol as not fully obvious what format I need to use. f.e.: default configuration use weak ciphers SSL_RSA_WITH_RC4_128_SHA and I want to disable them
3. as I see TLS1.3 isn't supported now by default, can it be enabled by some system tuning or if no: is it planed in future?
   Thank you in advance.

Edited:
removed systemctl restart postal

[willpower232]

1 - we've never needed to restart Postal to apply an updated certificate but we have more API traffic than SMTP and regularly reboot the server for software updates. Its been a while since I specifically ran postal restart so I'm not sure how brutal that is.

2 - looking at lib/postal/smtp_server/server.rb these options are passed directly into ruby so you'd have to look up the documentation for ruby itself to see all possible values I believe

3 - there are already a few issues with newer openssl versions (#999 and others) so its likely that once these are resolved and you're using a recent version of openssl, you should be able to enable TLS 1.3 without too much bother

[dragoangel]

Hi @willpower232 thank you for detailed reply.
If somebody will try find correct way to set ssl_version and tls_ciphers check this:
https://ruby-doc.org/stdlib-2.5.1/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html#method-i-ciphers or https://www.rubydoc.info/gems/jruby-openssl/OpenSSL/SSL/SSLContext
I leaved ssl_version not set, to use default value from postal.default.yaml and set:
tls_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA and now all fine.

BTW:
ssl_version Sets the SSL/TLS protocol version for the context. This forces connections to use only the specified protocol version. This is deprecated and only provided for backwards compatibility. Use #min_version= and #max_version= instead.