error configuration mail with exchange server

[RDLRA]

Current behavior i configure mail

with open exchange cas but i have this error log. I put certificate in globaleaks server? where? i use container installation

2020-09-23T19:18:11+0000 [twisted.mail.smtp.ESMTPSenderFactory#info] Starting factory <twisted.mail.smtp.ESMTPSenderFactory object at 0x7fc847c66b38> 2020-09-23T19:18:11+0000 [stdout#info] [E] Unable to verify validity of certificate: <X509Name object '/CN=CT**'> 2020-09-23T19:18:11+0000 [twisted.mail.smtp.ESMTPSenderFactory#info] Stopping factory <twisted.mail.smtp.ESMTPSenderFactory object at 0x7fc847c66b38>

GlobaLeaks version: 4.0.53

-->

[evilaliv3]

Hello @RDLRA , thank you for opening this ticket.

I suspect that you may be using a self signed certificate is this the case?

This is actually a not supported configuration but you may go around this understanding how to add your certificte to the trust store of the operating system.

Here is a guide that explain how to do that: https://askubuntu.com/questions/645818/how-to-install-certificates-for-command-line

I've not tested it directly but i think it should work.

If you try this procedure please let us know if it does work so that we could try to document it for other users.

Thank you!

[philippkrapp]

I am encountering the exact same problems. Any updates or hints on this case. I tried to follow the instructions. No luck.

I also tried both: Ports 25 and 587

I also switched the OS from ubuntu to debian. Same problem.

Any hints?

[evilaliv3]

@philippkrapp: can you paste an exctract or add a copy of your /var/globaleaks/log/globaleaks.log ?

Would you please describe your scenario?

• Which was the initial version of globaleaks that you used when making your setup?
• Are you using the default mail server configuration or a custom one?
• In the case you are using a custom configuration would you please describe it?

Thank you

[philippkrapp]

@evilaliv3 , Thank you for getting back with me.

I am trying to setup a email connection to our exchange server. As soon as I try to check the connection my globaleaks.log throws

2022-03-14 11:04:45+0100 [-] Starting factory <twisted.mail.smtp.ESMTPSenderFactory object at 0x7f5dad098790> 2022-03-14 11:04:45+0100 [-] [E] Unable to verify validity of certificate: <X509Name object '/CN=Mailsrv2016'> 2022-03-14 11:04:45+0100 [-] Stopping factory <twisted.mail.smtp.ESMTPSenderFactory object at 0x7f5dad098790>

It doesn't matter if I go through Port 587 using SMTP/TLS oder Port 25 using PLAIN. As described I tried with Debian 11 and Ubuntu 20.04.

The Exchange Server doesn't need any authentication. I also tried to install and use a postfix on the same server (postfix to relay towards the existing exchange server) If then I get the error complaining about the X509Name object /CN=compliance.

I use Globalleaks 4.7.17. from scratch.

Since I use other internal webbased systems (zammad, wekan, wordpress) with the same exchange server I know emailing basically runs :-)

But I really dont understand how to deal with this x509 object thing.

I also got the MicrosoftExchangeServerAuthCertificate.PFX and a Mailsrv2016_selfsigned_2019-10-28.cer and tried to convert and use it via openssl and update-ca-certificates commands. Not sure if I did this right but at least update-ca-certificates told me that I added those certificates....

[evilaliv3]

Thank you @philippkrapp

Actually globaleaks for security reasons could not accept self signed certificates.

[RDLRA]

I solved it like this. I have a docker infrastructure and I added a container with a postfix without authentication which then runs on my mail exchange. then gloab talks to postfix who talks to exchange. it's not beautiful but it works

[evilaliv3]

@RDLRA : Please consider that in a setup like this an attacker would be quite easily be able to mount a MITM attack non the email notifications and thus be able to possible intercept password reset email.

A proper fix would be eventually to load the self signed certificate to the set of trusted certificates of ubuntu/debian.

[philippkrapp]

Hi @RDLRA and @evilaliv3

Despite of the MitM Threat I setup myself a postfix service on the same machine as globalleaks I now can send emails through relay via the MS Exchange server.

Also the telnet command on post 25 on the FQDN ist successful.

But guess what: When I test the connection in globaleaks the log-file now throws

2022-03-14 13:46:35+0000 [-] Starting factory <twisted.mail.smtp.ESMTPSenderFactory object at 0x7f895c5f3fa0> 2022-03-14 13:46:35+0000 [-] [E] Unable to verify validity of certificate: <X509Name object '/C=DE/ST=Niedersachsen/L=Lohne/O=Krapp Beteiligungsgesellschaft mbH/OU=IT/CN=*.krapp.de'> 2022-03-14 13:46:35+0000 [-] Stopping factory <twisted.mail.smtp.ESMTPSenderFactory object at 0x7f895c5f3fa0>

In my /etc/postfix/main.cf I link to a valid wildcard certificate which is in use at many servers. Why can't the certificate not be validated?

Is there a local command to test this? Is there another cause? Firewall Port?

I appreciate your help!

[evilaliv3]

@philippkrapp: in my opinion ubuntu/debian do not contain the root certificate or the up to date version of the certificate in validity.

To verify if this is the situation you may use "openssl s_client -showcerts -connect host:port"

[chateaufiesta]

I solved it like this. I have a docker infrastructure and I added a container with a postfix without authentication which then runs on my mail exchange. then gloab talks to postfix who talks to exchange. it's not beautiful but it works

@RDLRA Do you have a tutorial or some link that I can follow? Having the same problem.

[RDLRA]

Sorry, i dont’ have link o tutorial, i can send a compose with my stack

version: "3.4"

services: yyyyyy: image: xxxxxxxxxxxxxx deploy: replicas: 1 restart_policy: condition: on-failure placement: constraints:

• node.platform.os == xxxxxxxxxxxx
• node.labels.nodo != xxxxxxxx
• node.hostname != xxxxxxxx volumes:
  • yyyyyy-dati:/var/globaleaks
  • yyyyyy-log:/var/log/supervisor/ ports:
  • target: 80 published: xxxxxxx
  • target: 443 published: xxxxxxxxx networks:
  • xxxxxxxxxxxx-yyyyyy logging: driver: syslog options: syslog-address: "udp://xxxxxxxxxxxxxxxxxxxx" tag: "xxxxxxxxxxxx-globaleaks" postfix: image: boky/postfix deploy: replicas: 1 restart_policy: condition: on-failure placement: constraints:
• node.platform.os == xxxxxxxxx
• node.labels.nodo != xxxxxxxxxxx
• node.hostname != xxxxxxxxx environment:
  • RELAYHOST=xxxxxxxxxxxxxx
  • ALLOWED_SENDER_DOMAINS=ttttttttttt.rrrrrrrrrrrrrr.it networks:
  • regioneabruzzo-yyyyyy logging: driver: syslog options: syslog-address: "udp://xxxxxxxxxxxxxxx" tag: "yyyyyy-postfix" networks: regioneabruzzo-yyyyyy: driver: overlay attachable: true volumes: yyyyyy-dati: driver: local driver_opts: type: nfs o: nfsvers=4,addr=xxxxxxxxxxx,rw device: ":/dati/fffffff/yyyyyy/dati" yyyyyy-log: driver: local driver_opts: type: nfs o: nfsvers=4,addr=xxxxxxxxxxx,rw device: ":/dati/ffffffffffff/yyyyyy/log"

Saluti Roberto Di Lorenzo

Supporto Sistemistico Regione Abruzzo

[logo]

@.**@.> Skype:roberto.dilorenzo80

Da: chateaufiesta @. Inviato: mercoledì 15 giugno 2022 12:11 A: globaleaks/GlobaLeaks @.> Cc: Roberto Di Lorenzo @.>; Mention @.> Oggetto: Re: [globaleaks/GlobaLeaks] error configuration mail with exchange server (#2897)

I solved it like this. I have a docker infrastructure and I added a container with a postfix without authentication which then runs on my mail exchange. then gloab talks to postfix who talks to exchange. it's not beautiful but it works

@RDLRAhttps://github.com/RDLRA Do you have a tutorial or some link that I can follow? Having the same problem.

— Reply to this email directly, view it on GitHubhttps://github.com/globaleaks/GlobaLeaks/issues/2897#issuecomment-1156275249, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AL3R5SCF5B2IYTS7BJCHAB3VPGT5DANCNFSM4RXNQZMA. You are receiving this because you were mentioned.Message ID: @.**@.>>

[chateaufiesta]

@RDLRA Thank you, will try this later