ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Форум — General
Доброго всем дня. Сколько уже времени периодически возвращаюсь к этому вопросу, решить сам не могу. Прошу помощи
debian 12+nginx+postfix+dovecot+roundcube
При открытии веб интерфейса рандомно появляется ошибка ERR_SSL_VERSION_OR_CIPHER_MISMATCH В этот же момент с режима инкогнито она открывается, или помогает перезапуск браузера. Но хочется все же докапаться до сути..
cat /etc/postfix/main.cf
cat /etc/postfix/main.cf
soft_bounce = no
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
mail_owner = postfix
header_checks=pcre:/etc/postfix/header_checks.pcre
myhostname = mx.домен.ру
mydomain = домен.ру
myorigin = $myhostname
inet_interfaces = all
inet_protocols = ipv4
mydestination = localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8 192.168.2.0/24 192.168.10.0/24 192.168.20.0/24 10.220.220.0/24
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#####smtpd_banner = $myhostname ESMTP $mail_name
smtpd_banner = $myhostname
debug_peer_level = 2
# Строки с PATH и ddd должны быть с отступом в виде табуляции от начала строки
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
setgid_group = postdrop
html_directory = no
relay_domains = mysql:/etc/postfix/mysql/relay_domains.cf
virtual_alias_maps = mysql:/etc/postfix/mysql/virtual_alias_maps.cf,
mysql:/etc/postfix/mysql/virtual_alias_domain_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
smtpd_discard_ehlo_keywords = etrn, silent-discard
smtpd_forbidden_commands = CONNECT GET POST
broken_sasl_auth_clients = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtp_always_send_ehlo = yes
disable_vrfy_command = yes
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname
smtpd_data_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_multi_recipient_bounce,
reject_unauth_destination,
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtpd_tls_key_file = /etc/postfix/certs/key.pem
#smtpd_tls_cert_file = /etc/postfix/certs/cert.pem
smtpd_tls_cert_file = /etc/postfix/certs/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mx.домен.ру/privkey.pem
tls_random_source = dev:/dev/urandom
smtpd_tls_mandatory_ciphers = low
smtpd_tls_ciphers = low
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_ciphers = low
smtp_tls_mandatory_ciphers = low
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy_maps
smtp_tls_note_starttls_offer = yes
# Ограничение максимального размера письма в байтах
message_size_limit = 200000000
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 15
smtpd_error_sleep_time = 20
anvil_rate_time_unit = 60s
smtpd_client_connection_count_limit = 20
smtpd_client_connection_rate_limit = 30
smtpd_client_message_rate_limit = 30
smtpd_client_event_limit_exceptions = 127.0.0.0/8
smtpd_client_connection_limit_exceptions = 127.0.0.0/8
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
# Директория для хранения почты
virtual_mailbox_base = /mnt/mail
virtual_minimum_uid = 1100
virtual_uid_maps = static:1100
virtual_gid_maps = static:1100
virtual_transport = dovecot
#virtial_transport = lmtp:unix:private/dovecot-lmtp
dovecot_destination_recipient_limit = 1
sender_bcc_maps = hash:/etc/postfix/sender_bcc_maps
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc_maps
compatibility_level=2
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
#cleanup unix n - - - 0 cleanup -o header_checks=pcre:/etc/postfix/header_checks.pcre
queue_run_delay = 2m
#content_filter = scan:[127.0.0.1]:10024
cat /etc/dovecot/dovecot.conf
listen = *
mail_plugins = mailbox_alias acl
protocols = imap pop3 sieve lmtp
mail_uid = 1100
mail_gid = 1100
first_valid_uid = 1100
last_valid_uid = 1100
auth_verbose = yes
log_path = /var/log/dovecot/main.log
info_log_path = /var/log/dovecot/info.log
debug_log_path = /var/log/dovecot/debug.log
ssl_min_protocol = SSLv3
verbose_ssl = yes
ssl_cert = </etc/postfix/certs/cert.pem
ssl_key = </etc/postfix/certs/key.pem
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_prefer_server_ciphers = yes
disable_plaintext_auth = no
mail_location = maildir:/mnt/mail/%d/%u/
auth_default_realm = домен.ру
auth_mechanisms = PLAIN LOGIN
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
user = postfix
group = postfix
mode = 0666
}
unix_listener auth-master {
user = vmail
group = vmail
mode = 0666
}
unix_listener auth-userdb {
user = vmail
group = vmail
mode = 0660
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
user = postfix
group = postfix
mode = 0600
}
inet_listener lmtp {
address = 127.0.0.1
port = 24
}
}
userdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql
}
passdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql
}
auth_master_user_separator = *
plugin {
auth_socket_path = /var/run/dovecot/auth-master
acl = vfile
acl_shared_dict = file:/mnt/mail/shared-folders/shared-mailboxes.db
sieve_dir = ~/.sieve/
mailbox_alias_old = Sent
mailbox_alias_new = Sent Messages
mailbox_alias_old2 = Sent
mailbox_alias_new2 = Sent Items
}
protocol lda {
mail_plugins = $mail_plugins sieve
auth_socket_path = /var/run/dovecot/auth-master
deliver_log_format = mail from %f: msgid=%m %$
log_path = /var/log/dovecot/lda-errors.log
info_log_path = /var/log/dovecot/lda-deliver.log
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
# postmaster_address = root
}
protocol lmtp {
info_log_path = /var/log/dovecot/lmtp.log
mail_plugins = quota sieve
postmaster_address = postmaster
lmtp_save_to_detail_mailbox = yes
recipient_delimiter = +
}
protocol imap {
mail_plugins = $mail_plugins imap_acl
imap_client_workarounds = tb-extra-mailbox-sep
mail_max_userip_connections = 30
}
protocol pop3 {
mail_plugins = $mail_plugins
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_uidl_format = %08Xu%08Xv
mail_max_userip_connections = 30
}
service imap-login {
service_count = 1
process_limit = 500
}
service pop3-login {
service_count = 1
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
service stats {
unix_listener stats-reader {
user = vmail
group = vmail
mode = 0660
}
unix_listener stats-writer {
user = vmail
group = vmail
mode = 0660
}
}
namespace {
type = private
separator = /
prefix =
inbox = yes
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
auto = no
special_use = \Sent
}
mailbox "Sent Items" {
auto = no
special_use = \Sent
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
mailbox "Deleted Messages" {
auto = no
special_use = \Trash
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Spam {
auto = no
special_use = \Junk
}
mailbox "Junk E-mail" {
auto = no
special_use = \Junk
}
mailbox Archive {
auto = no
special_use = \Archive
}
mailbox Archives {
auto = no
special_use = \Archive
}
}
namespace {
type = shared
separator = /
prefix = Shared/%%u/
location = maildir:%%h:INDEX=%h/shared/%%u
subscriptions = yes
list = children
}
cat /etc/nginx/sites-enabled/default
server {
listen 80 default_server;
listen [::]:80 default_server;
location /.well-known {
root /var/www/html/mx;
}
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256;
ssl_certificate /etc/letsencrypt/live/mx.домен.ру/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mx.домен.ру/privkey.pem;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
root /var/www/html/mx;
index index.php index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
}
}
tail log nginx/error.log
2025/03/04 02:15:56 [crit] 607#607: *1 connect() to unix:/run/php/php8.2-fpm.sock failed (2: No such file or directory) while connecting to upstream, client: 176.116.171.135, server: _, request: "POST /?_task=mail&_action=refresh HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "mx.домен.ру", referrer: "https://mx.домен.ру/?_task=mail&_mbox=Junk"
2025/03/04 13:52:44 [crit] 607#607: *7255 SSL_read() failed (SSL: error:1C800066:Provider routines::cipher operation failed error:0A000119:SSL routines::decryption failed or bad record mac) while waiting for request, client: 64.41.200.101, server: 0.0.0.0:443
2025/03/04 13:53:21 [crit] 607#607: *7330 SSL_read() failed (SSL: error:1C800066:Provider routines::cipher operation failed error:0A000119:SSL routines::decryption failed or bad record mac) while waiting for request, client: 64.41.200.101, server: 0.0.0.0:443
2025/03/05 02:07:12 [crit] 595#595: *2 connect() to unix:/run/php/php8.2-fpm.sock failed (2: No such file or directory) while connecting to upstream, client: 176.116.171.135, server: _, request: "POST /?_task=mail&_action=refresh HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.2-fpm.sock:", host: "mx.домен.ру", referrer: "https://mx.домен.ру/?_task=mail&_mbox=INBOX"
2025/03/09 13:01:09 [error] 653#653: *1863 directory index of "/var/www/html/mx/temp/" is forbidden, client: 15.188.8.249, server: _, request: "GET /temp/ HTTP/1.1", host: "mx.домен.ру", referrer: "www.google.com"
2025/03/10 01:06:08 [error] 653#653: *3805 directory index of "/var/www/html/mx/temp/" is forbidden, client: 35.180.156.238, server: _, request: "GET /temp/ HTTP/1.1", host: "mx.домен.ру", referrer: "www.google.com"
openssl s_client -starttls smtp -connect mx.домен.ру:25 | openssl x509 -noout -dates 2>/dev/null | grep notAfter | cut -d’=’ -f2
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E6
verify return:1
depth=0 CN = mx.домен.ру
verify return:1
May 18 09:13:58 2025 GMT
250 CHUNKING
openssl s_client -starttls smtp -connect mx.домен.ру:25 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E6
verify return:1
depth=0 CN = mx.домен.ру
verify return:1
---
Certificate chain
0 s:CN = mx.домен.ру
i:C = US, O = Let's Encrypt, CN = E6
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Feb 17 09:13:59 2025 GMT; NotAfter: May 18 09:13:58 2025 GMT
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
1 s:C = US, O = Let's Encrypt, CN = E6
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=CN = mx.домен.ру
issuer=C = US, O = Let's Encrypt, CN = E6
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2624 bytes and written 432 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 4F5FDF10CD44AC8DDFB8698F057141F28456D41E56AD42DCAB6B39314A9F7CA7
Session-ID-ctx:
Resumption PSK: C36FECD049976F61661FD4F4A34A06F49CDFE82DA39471389D518CCBC4D2459F667FB515DBFA6C45B503A91B3585FE6C
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
....
Start Time: 1741657229
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
500 5.5.2 Error: bad syntax
500 5.5.2 Error: bad syntax
500 5.5.2 Error: bad syntax