I encountered an error: “tls: failed to verify certificate: x509: certificate signed by unknown authority.”
I tried adding relay_hosts to bypass the certificate check, but it didn’t resolve the issue. How can this be fixed?
kumo.start_esmtp_listener {
listen = ‘0.0.0.0:22’,
banner = ‘Welcome to 25’,
hostname = ‘kumomta.domain.io’,
relay_hosts = {‘10.0.0.2’},
}
Your configuration says to listen on port 22 instead of 25, port 22 is for SSH.
Is it possible to use any other ports?
Email is port 25, any specific reason not to use it?
That port is blocked by email provider, it will take time to unlock
Well then you need to identify an available port that is not reserved by an existing protocol and use that.
Ok, thanks
The issue remains unresolved. I’ve enabled port 25, but I am still encountering the same error:
“tls: failed to verify certificate: x509: certificate signed by unknown authority”
Currently, I have both ports 587 and 25 listening, with port 587 working correctly. However, when attempting to connect to port 25, the error occurs.
My expectation is to connect on both ports 587 and 25. Port 587 should have TLS enabled, while port 25 should be configured without TLS.
Version: kumod 2024.11.08-d383b033
Kumomta Lua Configuration:
``kumo.start_esmtp_listener {
listen = ‘0.0.0.0:587’,
banner = ‘Welcome to 587’,
hostname = os.getenv(“HOST_NAME”),
tls_certificate = os.getenv(“TLS_CERTIFICATE”),
tls_private_key = os.getenv(“TLS_PRIVATE_KEY”),
max_recipients_per_message = 100,
trace_headers = {
received_header = true,
supplemental_header = true,
header_name = ‘X-HEader’,
}
}
kumo.start_esmtp_listener {
listen = ‘0.0.0.0:25’,
banner = ‘Welcome to 25’,
hostname = ‘kumomta.domain.io’,
relay_hosts = {‘10.10.8.1’},
}`
The release notes contained this: “The SMTP client will now look for the system CA-certificate bundle when making connections. If no CA-certificate bundle is present, it will have no available trust store and will not be able to successfully establish TLS sessions. Previously, we used a bundled hard-coded, non-extensible, copy of the Mozilla CA certificate store. You must therefore ensure that you install the ca-certificates package for your system, or otherwise contrive to populate the system certificate store.”
which sounds like it might apply to the error you’re getting
though it’s not entirely clear to me in what context the error is happening (incoming/outgoing connections)
The error occurred while I was connecting to Kumomta (incoming).
The troubleshooting guide shows how to trace an incoming connection, you’ll want to do that.
I’m also interested in what the client command looks like.
How to Troubleshoot This Issue:
No logs are displayed when running the command “sudo journalctl -u kumomta -f”.
Read the part that says tracing server communications.
Note that our SMTP listeners always support STARTTLS, whether you explicitly deploy a certificate or not (we’ll make a self-signed cert automatically).
We do not support SMTPS where the connection is assumed to only support talking with TLS enabled.
Can you provide a solution to connect to port 25 without using a certificate? If Kumomta generates an automatic certificate, why am I still unable to connect to port 25?
I have given you steps to troubleshoot, you have ignored them. The problem is your client and those steps would have helped with that.