Cannot connect using ssl (iphone email error)

yep.

how to install a cert in a mailserver goes beyond my knowledge, though.

thanks… i’m going to try and use server.eyethrees.net as my mail server and see how that goes

no, wait. mail.eyethrees.net is among the names for which that one cert is valid for. you don’t need to change domain.

@9peppe good catch! Outta sight outta mind.

oh interesting… i cancelled the cerbot --apache -d {list of my domains with the mail. one added} when it got to the point of asking about the vhost

and btw, i’m still not able to add the account in my iphone
i get the “cannot connect using ssl” message
i can send mail from the command line but i’m not receiving mail
testing using online tools like mxtoolbox.com and mail-tester.com both show everything is ok

if I visit https://mail.eyethrees.net/ I get a self signed cert, you should really install the LE certificate

(ie: How to use Let's Encrypt certificates with Postfix/Dovecot software)

i have the LE cert in the dovecot and postfix configs
(at least i think so)
guess it’s time to doublecheck

@ccheath try dumping your cache on the iPhone. I had a similar issue on an iPad and after a short “DUH” moment (and dumping cache and history) it reloaded what I expected to see.

Might help
Rip

in safari?
hmm seems unrelated but i’ll give it a shot

have you restarted/reloaded both?

Just a thought… I now assume you’re using one of the mail apps.

yes i definitely have

yeah the main mail app

clearing the cache didn’t help

so i’m gonna post my postfix and dovecot configs maybe someone can see something wrong

doveconf -n

$sudo doveconf -n
# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-327.4.4.el7.centos.plus.x86_64 x86_64 CentOS Linux release 7.7.1908 (Core) 
# Hostname: server.eyethrees.net
auth_mechanisms = plain login
first_valid_uid = 1000
mail_location = maildir:~/Maildir
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  driver = pam
}
protocols = imap
service auth {
  unix_listener auth-userdb {
    group = postfix
    mode = 0666
    user = postfix
  }
}
ssl_cert = </etc/letsencrypt/live/server.eyethrees.net/fullchain.pem
ssl_key =  # hidden, use -P to show it
userdb {
  driver = passwd
}

postconf -n

$sudo postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_protocols = all
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, $mydomain
myhostname = mail.eyethrees.net
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination permit_sasl_authenticated
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/server.eyethrees.net/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/server.eyethrees.net/privkey.pem
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_domains = eyethrees.net
virtual_alias_maps = hash:/etc/postfix/virtual

i think my problem is not with postfix or dovecot but with dns or maybe the self signed cert (which i’m trying to figure out how/why that is happening right now)

ok i’ve fixed the self-signed cert at mail.eyethrees.net to be the LE cert now

i had to create a mail.eyethrees.net vhost directory and entry in my httpd.conf

edit1: still not able to add the account in my iphone tho

edit2: when i try to use thunderbird to login it recognizes mail.eyethrees.net as and IMAP and SMTP server but it fails to complete setup of the account with a message that either the authentication or configuration is incorrect

is this helpful?

% nmap mail.eyethrees.net
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 22:50 CET
Nmap scan report for mail.eyethrees.net (108.161.131.209)
Host is up (0.16s latency).
rDNS record for 108.161.131.209: server.eyethrees.net
Not shown: 991 filtered ports
PORT      STATE  SERVICE
25/tcp    open   smtp
80/tcp    open   http
110/tcp   closed pop3
143/tcp   open   imap
443/tcp   open   https
465/tcp   closed smtps
587/tcp   open   submission
3306/tcp  open   mysql
10000/tcp open   snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 11.23 seconds

(I see no imaps)

hmm interesting… i thought that imap itself was sufficient … let me go back to firewalld and see what i can see about imaps

smtps too, eh… smtp and imap are not going to be encrypted by themselves.