Issue with TLS from one of the Server

[ajay-psd]

system info

Haraka	Haraka.js â Version: 2.6.1
Node	v0.10.4
OS	Linux host1.com 2.6.32-358.14.1.el6.x86_64 #1 SMP Tue Jul 16 23:51:20 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
openssl	OpenSSL 1.0.1e-fips 11 Feb 2013

Expected behavior

No error in TLS plugin

Observed behavior

Plugin tls failed:

I am using phpmailer application to send mail from multiple different server. from one of the server mails are not going, getting below error at haraka.
connection error: Error: 139842931415008:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1259:SSL alert number 48

From other server there is no issue mails are delivering. Not able track where is the issue.

Kindly suggest!

clientlog

SMTP -> FROM SERVER: 250-host1.com Hello ec2-54-254-211-170.ap-southeast-1.host1.amazonaws.com [54.254.211.170], Haraka is at your service.
250-PIPELINING
250-8BITMIME
250-SIZE 26214400
250 STARTTLS

SMTP -> FROM SERVER:220 Go ahead.

SMTP -> FROM SERVER:

SMTP -> ERROR: RSET failed:

Language string failed to load: tls
Message was not sent

Mailer Error: Language string failed to load: tls

SMTP server error:

below is haraka log
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] hook=ehlo plugin=access function=any params="localhost.localdomain" retval=CONT msg=""
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] running capabilities hooks
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] running capabilities hook in auth/flat_file plugin
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [auth/flat_file] Auth disabled for insecure public connection
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] hook=capabilities plugin=auth/flat_file function=hook_capabilities params="" retval=CONT msg=""
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] running capabilities hook in tls plugin
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] hook=capabilities plugin=tls function=tls_capabilities params="" retval=CONT msg=""
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] running unrecognized_command hooks
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] running unrecognized_command hook in auth/flat_file plugin
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] hook=unrecognized_command plugin=auth/flat_file function=hook_unrecognized_command params="STARTTLS" retval=CONT msg=""
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] running unrecognized_command hook in tls plugin
[DEBUG] [-] [core] Upgrading to TLS
[DEBUG] [9AD66EB3-533E-4E9E-ADC0-458AB03418A0.1] [outbound] running send_email hooks
[DEBUG] [9AD66EB3-533E-4E9E-ADC0-458AB03418A0.1] [outbound] Sending mail: 1477311824083_2_14270_683.infimailer.com
[DEBUG] [9AD66EB3-533E-4E9E-ADC0-458AB03418A0.1] [outbound] running get_mx hooks
[INFO] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] client [54.254.211.1] connection error: Error: 139842931415008:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1259:SSL alert number 48
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] running disconnect hooks
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] running disconnect hook in tls plugin
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] hook=disconnect plugin=tls function=hook_disconnect params="" retval=CONT msg=""
[NOTICE] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] disconnect ip=54.254.211.1 rdns="ec2-54-254-211-170.ap-southeast-1.compute.amazonaws.com" helo="localhost.localdomain" relay=N early=N esmtp=Y tls=N pipe=N errors=0 txns=0 rcpts=0/0/0 msgs=0/0/0 bytes=0 lr="" time=0.282
[INFO] [9AD66EB3-533E-4E9E-ADC0-458AB03418A0.1] [outbound] Attempting to deliver to: 182.18.174.10:25 (0) (0)

[typingArtist]

http://serverfault.com/questions/793260/what-does-tlsv1-alert-unknown-ca-mean/793290

Your client (i.e., the ec2 instance) is sending a client certificate which the server doesn’t like. Make sure that the client provides the right certificate in the proper way, and that the server honors the root CA which is the base for the client certificate chain.

[msimerson]

OpenSSL has been updated quite a few times lately (addressing vulnerabilities) and some SSL protocols and ciphers that were formerly widely tolerated aren't any longer, as we've updated our software. The only solution is doing what everyone else has done: update their software.

Also, node 0.10 is deprecated upstream (by Node project). They don't support it and neither do we. Upgrade to at least Node 4.

[ajay-psd]

Yes, some days back we upgrade PHP and OpenSSL also got updated to newer version. From that day we are facing this issue.

I will update node version to Node 6 and check!

Thanks!

[msimerson]

Yes, some days back we upgrade PHP and OpenSSL also got updated to newer version. From that day we are facing this issue.

That's arguably the strongest argument against running PHP and Node.js (or frankly, any two significant software stacks) on the same host. Virtualize that stuff. Put your PHP stack in one VM, your node.js stuff in another, etc. That way, when you upgrade PHP, it doesn't affect node.js, and vice versa.

[ajay-psd]

Hi
I have upgraded node to v6.9.1, Now it seems different issue.
Can any one please help me to understand what can be the issue here?

haraka server details
Haraka.js — Version: 2.8.9
OpenSSL 1.0.1e-fips 11 Feb 2013
Linux host1.com 2.6.32-358.14.1.el6.x86_64 #1 SMP Tue Jul 16 23:51:20 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
node to v6.9.1

Haraka shows only below logs : leglevel LOGDEBUG

[NOTICE] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] connect ip=54.254.xxx.xxx port=51709 local_ip=:: local_port=587
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] running connect_init hooks
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] running connect_init_respond
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] running lookup_rdns hooks
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] running connect hooks
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] running ehlo hooks
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] running capabilities hooks
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] running capabilities hook in auth/flat_file plugin
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [auth/flat_file] Auth disabled for insecure public connection
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] hook=capabilities plugin=auth/flat_file function=hook_capabilities params="" retval=CONT msg=""
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] running capabilities hook in tls plugin
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] hook=capabilities plugin=tls function=advertise_starttls params="" retval=CONT msg=""
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] running unrecognized_command hooks
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] running unrecognized_command hook in auth/flat_file plugin
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] hook=unrecognized_command plugin=auth/flat_file function=hook_unrecognized_command params="STARTTLS" retval=CONT msg=""
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] running unrecognized_command hook in tls plugin
[DEBUG] [-] [core] Upgrading to TLS
[INFO] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] client [54.254.xxx.xxx] half closed connection
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] running disconnect hooks
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] running disconnect hook in tls plugin
[DEBUG] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] hook=disconnect plugin=tls function=hook_disconnect params="" retval=CONT msg=""
[NOTICE] [CF9552DF-A13E-4EAF-9425-1CBDA74E733E] [core] disconnect ip=54.254.xxx.xxx
rdns="ec2-54-254-xxx-xxx.ap-southeast-1.compute.amazonaws.com" helo="localhost.localdomain" relay=N early=N esmtp=Y tls=N pipe=N errors=0 txns=0 rcpts=0/0/0 msgs=0/0/0 bytes=0 lr="" time=0.028

Client logs show some unrecognised charaters, may be ssh terminal not able to rendered it.
[root@myserver smtp]# php smtp2.php
SMTP -> FROM SERVER:220 haraka.test ESMTP Haraka 2.8.9 ready

SMTP -> FROM SERVER: 250-haraka.test Hello ec2-54-254-xxx.xxx.ap-southeast-1.compute.amazonaws.com [54.254.xxx.xxx], Haraka is at your service.
250-PIPELINING
250-8BITMIME
250-SIZE 26214400
250 STARTTLS

SMTP -> FROM SERVER:220 Go ahead.

SMTP -> FROM SERVER:K
_>▒▒1;ub▒▒ɴ.▒▒▒ƍ▒-▒"▒0M_xnϿ{H^k▒▒h7▒|▒▒▒;▒▒i▒I▒▒hnd▒ڏ▒▒▒▒▒Η▒U▒▒5▒▒( i▒h▒Ɵ▒s
j▒L▒h▒▒▒и▒▒o-a▒6\4ΡV▒▒_x:▒▒1▒x%▒▒ŀ▒,▒d▒9▒yM!▒y▒B▒▒$î▒▒▒▒▒▒ ▒.▒l▒▒▒mު_▒M▒▒Mu.▒▒Q ▒m▒;▒u▒▒▒▒▒▒$▒▒▒▒X-5▒?▒/▒+▒▒▒'▒ ▒▒▒▒▒d6{▒'z{ ▒t▒▒▒I▒ <br />SMTP -> ERROR: RSET failed: K _>▒▒1;ub▒▒ɴ.▒▒▒ƍ▒-▒"▒0M*xnϿ{H^k▒▒h7▒|▒▒▒;▒▒i▒I▒▒hnd▒ڏ▒▒▒▒▒Η▒U▒▒5▒▒( i▒h▒Ɵ▒s j▒L▒h▒▒▒и▒▒o-a▒6\4ΡV▒▒*x:▒▒1▒x%▒▒ŀ▒,▒d▒9▒yM!▒y▒B▒▒$î▒▒▒▒▒▒ ▒.▒l▒▒▒mު_▒M▒▒Mu.▒▒Q
▒m▒;▒u▒▒▒▒▒▒$▒▒▒▒X-5▒?▒/▒+▒▒▒'▒
▒▒▒▒▒d6{▒'z{ ▒t▒▒▒I▒

Language string failed to load: tls
Message was not sent

Mailer Error: Language string failed to load: tls

SMTP server error: K
_>▒▒1;ub▒▒ɴ.▒▒▒ƍ▒-▒"▒0M_xnϿ{H^k▒▒h7▒|▒▒▒;▒▒i▒I▒▒hnd▒ڏ▒▒▒▒▒Η▒U▒▒5▒▒( i▒h▒Ɵ▒s
j▒L▒h▒▒▒и▒▒o-a▒6\4ΡV▒▒_x:▒▒1▒x%▒▒ŀ▒,▒d▒9▒yM!▒y▒B▒▒$î▒▒▒▒▒▒ ▒.▒l▒▒▒mު_▒M▒▒Mu.▒▒Q`
▒m▒;▒u▒▒▒▒▒▒$▒▒▒▒X-5▒?▒/▒+▒▒▒'▒
▒▒▒▒▒d6{▒'z{

▒t▒▒▒I▒
[root@infimart smtp]# PuTTYPuTTYPuTTY

client server details
OS | Linux myserver 2.6.32-358.14.1.el6.x86_64 #1 SMP Mon Jun 17 15:54:20 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux
openssl | OpenSSL 1.0.1e-fips 11 Feb 2013
using php7

Kindly suggest on this!

[smfreegard]

Whatever your PHP script is doing - it's doing it wrong, simple as that. It sent a STARTTLS and then is treating the TLS negotiation as SMTP mode traffic, which it isn't, it's supposed to negotiate TLS and then go back into SMTP mode after negotiation.

This isn't a Haraka problem...

[ajay-psd]

Okay.. i will check again!

Can you please help me understand this log,

In my First Post using same php script HARaka log shows as
[INFO] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] client [54.254.211.1] connection error: Error: 139842931415008:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1259:SSL alert number 48
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] running disconnect hooks
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] running disconnect hook in tls plugin
[DEBUG] [CE8EA427-B5BA-499E-9FBB-1E77C50F161E] [core] hook=disconnect plugin=tls function=hook_disconnect params="" retval=CONT msg=""

But now haraka log does not shows any specific log entry for running disconnect hooks,

[smfreegard]

But now haraka log does not shows any specific log entry for running disconnect hooks,

Huh - aside from the error you highlighted... Haraka disconnects the client forcibly due to the error.

See http://serverfault.com/questions/660241/postfix-tls-error

Test your Haraka TLS by running:

openssl s_client -port 25 -starttls smtp

If that works, it's the PHP end that is the problem. If it doesn't work, then you've got some other problem with the certificates you've installed.

[ajay-psd]

Hi ,

Tested Haraka TLS by running: openssl s_client -port 25 -starttls smtp
I assume Its working,

[ajay.p@infimart ~]$ openssl s_client -host myhost.com -port 587 -starttls smtp
CONNECTED(00000003)
depth=0 C = IN, L = Bangalore, O = Solutions , CN = mailer
verify error:num=18:self signed certificate
verify return:1
depth=0 C = IN, L = Bangalore, O = Solutions , CN = mailer

verify return:1

Certificate chain
0 s:/C=IN/L=Bangalore/O=Solutions /CN=mailer

i:/C=IN/L=Bangalore/O=Solutions /CN=mailer

Server certificate
-----BEGIN CERTIFICATE-----
_SOME CRETIVICATE_*
-----END CERTIFICATE-----

subject=/C=IN/L=Bangalore/O=Solutions /CN=mailer

issuer=/C=IN/L=Bangalore/O=Solutions /CN=mailer

No client certificate CA names sent

Server Temp Key: ECDH, prime256v1, 256 bits

SSL handshake has read 1787 bytes and written 408 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 84135826C8363439552D06C3F0B024BF1D6EDE69F19F8C0C1B59D1928F493988
Session-ID-ctx:
Master-Key: ED42374022A88F8BA63C1D91134EF22C495956FDD833FDF9F43979896375125CEA6F4C29XXX
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 52 23 38 ea e4 e0 e5 4e-fe da 68 41 87 0f f7 5e R#8....N..hA...^
0010 - f2 1d de e2 3a 90 10 dd-a2 d6 d8 39 f8 a1 85 41 ....:......9...A
0020 - c9 67 7a a5 6a 2a 2b e6-8a 6f de f8 f0 c0 bb 1a .gz.j*+..o......
0030 - 5e 9f 41 65 f7 a5 ab 2f-b8 de ed 22 62 8d f8 81 ^.Ae.../..."b...
...........
............

Start Time: 1478499529
Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)

---

250 STARTTLS

Also tested mails are successfully going from different server with php5.
I think issue with php7 library which i am using, i tried with php7 from multiple server, its not working.

Still trying to figure out for resolution. will post here if i get any success!

Thanks a lot for guidance!