I have Freedombox installed on a rockpro64, on top of a Debian installation, with postfix/dovecot installed, and I used to send emails from multiple accounts on it, using Gnome Evolution from multiple distros (Trisquel, Parabola, Guix).
Today, when I try sending emails via my freedombox:
from Trisquel 11, Trisquel 12 or Guix system, I have a popup message saying it is failed with “Error performing TLS handshake: An unexpected TLS packet was received.”
from Parabola, it works fine.
I send emails via freedombox unfrequently, on one account, I see the last sent email (which was sent from Trisquel 12 most likely) on September 4th, so it was working at that time.
Sending emails using accounts relying on other email servers (not freedombox) work fine.
The Gnome Evolution versions (from the repos of the distro) are different:
Trisquel 11 (based on Ubunutu 22.04): 3.44.4-0ubuntu2
Trisquel 12 (based on Ubuntu 24.04): 3.52.3-0ubunutu1
Guix system: 3.54.3
Parabola (original package from Arch repository): 3.58.0
The diagnostics are all ok. I have Freedombox 25.13 and I see that postfix/dovecot were just updated.
Could it be that the recent postfix/dovecot update creates some problems with older Gnome Evolution versions? If so, is there some workaround?
I ran this on the freedombox and replaced my domain name with example.com:
Connecting to 192.168.10.238
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E8
verify return:1
depth=0 CN=example.com
verify return:1
---
Certificate chain
0 s:CN=example.com
i:C=US, O=Let's Encrypt, CN=E8
a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA384
v:NotBefore: Oct 11 04:01:15 2025 GMT; NotAfter: Jan 9 04:01:14 2026 GMT
1 s:C=US, O=Let's Encrypt, CN=E8
i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDgDCCAwWgAwIBAgISBsO3Nxffvjrk3oyS/pC07VXsMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
ODAeFw0yNTEwMTEwNDAxMTVaFw0yNjAxMDkwNDAxMTRaMBQxEjAQBgNVBAMTCW1l
dGFuaS5ldTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCjCzmmfkRbgyh5Bnxz8
IKwQJMvWAG119SGUz0e1L1qjF6LJ8+83oNZPl2GthxFAeldZIa0zy6qiaR5Izj3E
RhSjggIXMIICEzAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFMPTqw0THWhmr1KjViKc
9dp+O+b7MB8GA1UdIwQYMBaAFI8NE6L2Ln7RUGwzGDhdWY4jcpHKMDIGCCsGAQUF
BwEBBCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL2U4LmkubGVuY3Iub3JnLzAUBgNV
HREEDTALggltZXRhbmkuZXUwEwYDVR0gBAwwCjAIBgZngQwBAgEwLgYDVR0fBCcw
JTAjoCGgH4YdaHR0cDovL2U4LmMubGVuY3Iub3JnLzEwOS5jcmwwggEDBgorBgEE
AdZ5AgQCBIH0BIHxAO8AdQBkEcRspBLsp4kcogIuALyrTygH1B41J6vq/tUDyX3N
8AAAAZnRo6C+AAAEAwBGMEQCIHT40vRDdeQUIRBPZUMndBqSh7fsViKPtGZjFB0t
o1J5AiBrSJjOHXhuzI7qfehI6eBxnH7ze3HBIFaXjF0EfqkueQB2AJaXZL9VWJet
90OHaDcIQnfp8DrV9qTzNm5GpD8PyqnGAAABmdGjoOcAAAQDAEcwRQIhAProrJny
iJmjqLoYhPZmY2RrC+6d0BuUjRlY04J0OUgKAiA+2mYe1Q6bj2XrnnH9s2AYmBri
BG4zTUTWp6NkcqTOlDAKBggqhkjOPQQDAwNpADBmAjEA6b/d+4tzjFi9AWraglbc
PETMZAs4t0Q+VUL4MSB8to6O6rGqBl7IuL+fz2bwJl+kAjEA8F1jVK46/50Etey5
gHkPcZe6cLDqWkbcychVgAkgO8I2rBNQI2enPM/LQUrhL/9I
-----END CERTIFICATE-----
subject=CN=example.com
issuer=C=US, O=Let's Encrypt, CN=E8
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Peer Temp Key: X25519, 253 bits
---
SSL handshake has read 2623 bytes and written 1664 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: F6BED9A4EBCF6F3271232DBDC72C4F854EFEF62B7F6B2A7D0901B6FA037CC3E7
Session-ID-ctx:
Resumption PSK: 188955B8BE752B18F0F8F099EE91A000C82D30C7DB21C83C59195F65065143869848984E9C7B643ED7498661613DCF9F
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - a1 93 34 98 b2 c4 0f 11-2d 2c c4 5f c0 f6 b8 fa ..4.....-,._....
0010 - 7d 80 57 8e b3 87 73 d1-da aa a9 f7 26 92 61 78 }.W...s.....&.ax
0020 - 5d 5d e2 f5 39 6f a0 f4-51 51 14 09 21 b3 3a 19 ]]..9o..QQ..!.:.
0030 - c8 c5 2e 0c 3e 9c e7 cf-14 34 e8 18 97 f5 c8 d3 ....>....4......
0040 - 63 70 7a d8 93 a6 e6 7e-5e 05 7b 6c 37 51 24 20 cpz....~^.{l7Q$
0050 - ce 16 68 d0 0d 6b 93 41-8f 23 bd 1d ff b1 57 cf ..h..k.A.#....W.
0060 - f6 5e 86 25 41 f1 b1 f4-9a 7d d7 d9 8f f7 73 f4 .^.%A....}....s.
0070 - d2 fd b3 d8 63 58 02 55-e9 3e 1f ad 79 0b f5 0c ....cX.U.>..y...
0080 - f7 c3 4a ad 34 67 5c 76-86 aa 46 d8 59 f9 f5 33 ..J.4g\v..F.Y..3
0090 - f0 20 c1 85 d8 fe 95 ad-ea 33 f9 a5 b0 0e 01 64 . .......3.....d
00a0 - b5 fa 7e 52 ee b0 94 f7-f6 11 12 54 61 e0 35 fd ..~R.......Ta.5.
00b0 - 22 01 41 6e 73 fa df 25-dd fd 09 54 9c 72 bf af ".Ans..%...T.r..
00c0 - cb ea dd 73 ad ca 53 75-27 bb b2 9d fd e5 1d 0b ...s..Su'.......
00d0 - 46 fe 91 0f df 4b 4b e7-24 fb 3d e2 83 2a 18 d2 F....KK.$.=..*..
Start Time: 1760545757
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Currently, I am on travel and I only have the computer on which it works. On it, evolution is configured to use port 465, ciphering method is TLS on dedicated port, authentication type is set to “connection”.
To setup evolution, I ask to save evolution data on one computer and restore them on another computer, so I expect the settings to be the same on the other computers, but I would need to check when I am back (next week-end).
There are two possible issues I can think of:
I can see that the certificate got issued the same day you wrote the post. It might be that the system time on your Trisquel machine is so badly skewed that it is somehow outside the validity of your certificate.
The other possibilty is that on Trisquel you used the IP address instead of your FQDN in the Server field of your evolution settings. That would rightfully result in a certificate address mismatch. If this is the case, then on Parabola it’s either configured properly (using the FreedomBox FQDN) or it might be that Parabola disregards the mismatch.
After checking on computers on which it was not working, I found out that the settings to send emails on them was incorrect: it was set to using port 587 with TLS, while it should use StartTLS on this port. After changing the settings, it works. So no issue with Freedombox, just wrong settings on my side.
I’ll investigate how to more easily check Evolution settings. I have 18 email accounts configured on each computer, so looking at settings for each via the graphical interface is rather tedious.