Email Notification: STARTTLS fails against Lets Encrypt Certificate

[tunloop]

Description

Looks like this was discussed a bit here: #3843
But this looks like an actual bug to me.

Email notifications appear to be completely broken where SMTPd uses Lets Encrypt certificates.

Version

1.33.2

Steps to Reproduce

1. Have a email server with a Lets Encrypt certificate setup
2. Setup Overseerr email notification to connect to the email server
3. Attempt test notification
4. Observe below logs

Screenshots

No response

Logs

Overseerr failed notification log

{
 "errorMessage": "unable to get local issuer certificate",
 "recipient": "admin",
 "subject": "Test Notification",
 "type": "TEST_NOTIFICATION"
}


Postfix Logs

<22>Feb  1 21:24:27 mail postfix/submission/smtpd[514373] disconnect from unknown[172.20.22.2] ehlo=1 starttls=0/1 commands=1/2
<22>Feb  1 21:24:27 mail postfix/submission/smtpd[514373] lost connection after STARTTLS from unknown[172.20.22.2]
<22>Feb  1 21:24:27 mail postfix/submission/smtpd[514373] SSL_accept error from unknown[172.20.22.2]: lost connection
<22>Feb  1 21:24:27 mail postfix/submission/smtpd[514373] connect from unknown[172.20.22.2]


Openssl connect from Overseerr host

$ openssl s_client -starttls smtp -connect mail.domain.com:587 -CAfile /etc/ssl/certs/ca-certificates.crt 
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X2
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E6
verify return:1
depth=0 CN = mail.domain.com
verify return:1
---
Certificate chain
 0 s:CN = mail.domain.com
   i:C = US, O = Let's Encrypt, CN = E6
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jan  7 05:28:48 2025 GMT; NotAfter: Apr  7 05:28:47 2025 GMT
 1 s:C = US, O = Let's Encrypt, CN = E6
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X2
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
subject=CN = mail.domain.com
issuer=C = US, O = Let's Encrypt, CN = E6
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2206 bytes and written 440 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1738473457
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

Platform

desktop

Device

Laptop

Operating System

Debian 12

Browser

Firefox

Additional Context

Please let me know if I can provide additional debug information (the debug log entry is fairly light for a debug log...)

Code of Conduct

• I agree to follow Overseerr's Code of Conduct