Digging into the issue I decided to create an /smtp/
folder with an index.html
file and test with curl.
curl -v -L -I https://www.mywebsite.com/smtp/index.html
Result:
* Trying XX.XX.XXX.XXX...
* TCP_NODELAY set
* Connected to www.mywebsite.com (XX.XX.XXX.XXX) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.mywebsite.com
* start date: Oct 9 00:00:00 2018 GMT
* expire date: Oct 9 12:00:00 2019 GMT
* subjectAltName: host "www.mywebsite.com" matched cert's "*.mywebsite.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=RapidSSL RSA CA 2018
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x6ff558000300)
> HEAD /smtp/index.html HTTP/2
> Host: www.mywebsite.com
> User-Agent: curl/X.XX.X
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* HTTP/2 stream 1 was not closed cleanly: INTERNAL_ERROR (err 2)
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (92) HTTP/2 stream 1 was not closed cleanly: INTERNAL_ERROR (err 2)
In access.log
I found:
[06/Feb/2019:22:49:52 +0100] "HEAD /smtp/index.html HTTP/2.0" 444 0 "-" "curl/X.XX.X" "-"
At the end I discovered a (common) misconfiguration of NGIX that blocks access to location containing smtp, and other strings:
# Block web attacks
location ~* (roundcube|webdav|smtp|http\:|soap|w00tw00t) {
return 444;
}
Suggested here http://www.queryadmin.com/1071/deny-access-sensitive-files-nginx/ and in many other sites on the web. I think this is a common nginx configuration.