Cannot send email, TLS v1 protocol

netdiver · 13 November 2024 08:04

Dear all,
I’m trying to set up email alerting in my LibreNMS 24.9.0 Docker installation.
After setting the Global SMTP options and the “Mail” alert transport, LibreNMS can’t connect to my email server correctly.

I want to use SMTPS protocol over port 465 with authentication, but my email server refuses to talk to LibreNMS due to the fact that it uses TLSV1 that I denied on my Postfix Server.

Here is the log of Postfix Server

2024-11-13T08:55:58.497150+01:00 postfix postfix/submissions/smtpd[55688]: connect from librenms [192.168.1.100]
2024-11-13T08:55:58.523761+01:00 postfix postfix/submissions/smtpd[55688]: SSL_accept error from librenms [192.168.1.100]: -1
2024-11-13T08:55:58.523887+01:00 postfix postfix/submissions/smtpd[55688]: warning: TLS library problem: error:0A000418:SSL routines::tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1599:SSL alert number 48:
2024-11-13T08:55:58.523980+01:00 postfix postfix/submissions/smtpd[55688]: lost connection after CONNECT from librenms [192.168.1.100]
2024-11-13T08:55:58.524130+01:00 postfix postfix/submissions/smtpd[55688]: disconnect from librenms [192.168.1.100] commands=0/0

How to disable TLSV1 and TLS v1.1 and force LibreNMS use TLS v1.2 or higher?

laf · 13 November 2024 09:16

LIbreNMS and PHPMailer which we use is just using php to send mail and TLS versions are set by that. You can’t change or update any config to get it to work from our side.

Either PHP itself or openssl isn’t up to date or configured.

Try running this in php -a

  $ch = curl_init('https://www.howsmyssl.com/a/check'); 
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); 
  $data = curl_exec($ch); 
  curl_close($ch); 
  $json = json_decode($data); 
  echo "<h1>Your TLS version is: " . $json->tls_version . "</h1>\n";

That will show you the version being used.

netdiver · 13 November 2024 10:06

Thanks for the quick reply.
I executed those PHP commands into the librenms container, and it turned out that
Your TLS version is: TLS 1.3

But in my docker compose setup I see another container that uses msmtpd image.

Surely I made some wrong configuration here.

netdiver · 13 November 2024 10:24

Ok I figured out that I needed to set the local msmtpd container (port 2500) as SMTP transport in LibreNMS (Global Options) without any authentication or encryption, then I added my TLS and auth options to the msmtpd.env file.

Msmtpd, latest version, has implemented latest TLS protocol and works as expected.

Thanks for help!