Some emails are delivered by other email delivery systems, but get Certificate errors with Kumo

fhf · January 8, 2024, 9:11am

I’m getting different kinds of certificate errors when trying to send emails to addresses from a few domains with Kumo:

invalid peer certificate: NotValidForName
invalid peer certificate: Expired
invalid peer certificate: Other(CaUsedAsEndEntity)
invalid peer certificate: UnknownIssuer

One of them is a large university (getting Other(CaUsedAsEndEntity)), another one is a large governmental organization (getting NotValidForName). Emails are being delivered with Postal, SendGrid, and Gmail to the same email addresses without any errors. So far as I can tell, the errors are actually true (the certificates are self-signed, expired or invalid for the domain), and I assume the other systems are ignoring certificate errors. Is there any way for me to tell Kumo to do the same?

(I can’t share specific examples publicly here, but can share privately in DM if it helps).

rational-ibex · January 8, 2024, 12:54pm

By default, KumoMTA uses “Opportunistic” TLS (with validation) - “use TLS if advertised by the EHLO response. If the peer has invalid or self-signed certificates, then the delivery will fail. KumoMTA will NOT fallback to not using TLS on that same host.”

So setting it to “OpportunisticInsecure” will skip all validations checks.

https://docs.kumomta.com/reference/kumo/make_egress_path/?h=enable_tls#enable_tls

wez · January 8, 2024, 1:23pm

Yes, Syed is correct. I wanted to note that you should take care when using the Insecure modes; while they enable session privacy with the destination, the lack of verification means that you may be having a private communication with an impostor. Depending on the nature of your mail, this may or may not be a concern for you.

You may want to consider enabling MTA-STS and/or DANE support. Both will upgrade the TLS mode to Required when the destination domain indicates that through their published policies, with no addition explicit MTA configuration required on the part of the sender (aside from enabling these policy lookups).

MTA-STS is simple to enable, whereas DANE also requires some changes to your DNS resolving configuration to ensure that DNSSEC is functional.

fhf · January 8, 2024, 2:22pm

Thanks, I enabled MTA-STS and also set enable_tls to OpportunisticInsecure in shaping.toml for the domains that have invalid certs, I think that should work.

fhf · January 8, 2024, 2:40pm

How about failed to connect to any candidate hosts: TLS handshake with ResolvedAddress { name: "mail.example.com.", addr: 1.2.3.4 }:25 failed: tls handshake eof? Shoud I be increasing connect_timeout / starttls_timeout?

wez · January 8, 2024, 2:42pm

sounds like the remote host closed the connection during the handshake. There’s no client side that will make it succeed, so you’ll probably want to disable TLS for that domain

fhf · January 8, 2024, 3:01pm

I’ve added

["bad-certificate1.com"]
enable_tls = "Disabled"

["bad-certificate2.com"]
enable_tls = "Disabled"

["bad-certificate3.com"]
enable_tls = "OpportunisticInsecure"

to shaping.toml and restarted kumomta (latest stable version). After restart I get a new TransientFailure log event with the same errors as before (tls handshake eof, invalid peer certificate: Other(CaUsedAsEndEntity), etc)

fhf · January 8, 2024, 3:06pm

Actually, when sending to user@bad-certificate1.com, the log shows

TLS handshake with ResolvedAddress { name: "mail.bad-certificate1.com.", addr: 1.2.3.4 }:25 failed: tls handshake eof

Does this mean that I should add mail.bad-certificate1.com to shaping.toml instead of bad-certificate.com?

fhf · January 8, 2024, 3:11pm

Nope, changed the config in shaping.toml to

["mail.bad-certificate1.com"]
enable_tls = "Disabled"

and tried again, still getting the same error.

Mike · January 8, 2024, 3:18pm

Did you restart after the change? That setting should prevent you from using TLS in the first place.

fhf · January 8, 2024, 3:38pm

Yes, I did restart it

fhf · January 8, 2024, 3:39pm

And right after restarting it, it tries to send the email again and gives me the error above

fhf · January 8, 2024, 4:05pm

Seems like the config is being ignored, I’ve added this at the end of shaping.toml (restarting kumomta after every change to this file):

["bad-certificate.com"]
enable_tls = "Disabled"

["mail.bad-certificate.com"]
enable_tls = "Disabled"

["mail.bad-certificate.com."]
enable_tls = "Disabled"

and I’m loading it in init.lua:

local shaper = shaping:setup_with_automation {
  publish = { 'http://127.0.0.1:8008' },
  subscribe = { 'http://127.0.0.1:8008' },
  extra_files = { '/opt/kumomta/etc/policy/config/shaping.toml' },
}

Still getting the same errors:

failed to connect to any candidate hosts: TLS handshake with ResolvedAddress { name: "mail.bad-certificate.com.", addr: 1.2.3.4 }:25 failed: invalid peer certificate: Other(CaUsedAsEndEntity)

Mike · January 8, 2024, 4:23pm

Can you post the full init.lua pls? There’s more than one place to configure shaping.

fhf · January 8, 2024, 4:25pm

https://paste.mozilla.org/6JC7aoma

Mike · January 8, 2024, 4:28pm

You are missing:

-- Call the Traffic Shaping Automation Helper to configure shaping rules.
kumo.on('get_egress_path_config', shaper.get_egress_path_config)

fhf · January 8, 2024, 4:47pm

oh, sorry about that - added it and it’s loading the file now.