Certificate failure for mail.domain.com: self signed certificate: /CN=mail.domain.com

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I have no issues :slight_smile: but I am asking for help, I have postfix server and Rukovoditel ERP and I need to setup the email on the ERP email module but I see this error when I press check the connection in the ERP.

What I need to know to setup a secure channel between both servers?
Postfix server have a valid working Let's Encrypt certificate.
I can provide the domain privately.

Check:

  • That Postfix is setup with the full certificate chain (leaf and intermediate, not just leaf)
  • That the certificate is available on both SMTPS and SMTP STARTTLS.

Hi @ahmedvolks

additional: Do you use the correct domain name? Not an ip address, not a local name?

See the initial text:

1 Like

I do not have intermediate or I do not how to setup. I well appreciate to give me a tutorial link to setup on postfix ubuntu 16.04

It show FQDN mail.domain.com

I see and thank you for your interest I can send you privately if you interested.

Thanks in advance :slight_smile:
Reda

Sorry, I don't do private consultation, for me it's either public or not.

1 Like

However you obtained your Let's Encrypt certificate, you should have received an intermediate certificate.

What file did you use for Postfix's smtpd_tls_cert_file?

1 Like

I used nano /etc/postfix/main.cf
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Thanks.

That's not using a Let's Encrypt certificate, that's the default self-signed certificate that comes with your operating system.

If you have a Let's Encrypt certificate already, you should update the above Postfix configuration file to use it.

I updated the file /etc/dovecot/conf.d/10-ssl.conf as below:

Commented these two lines:
#ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
#ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key

Added these three lines:

Let's Encrypt certificate:

ssl_cert = </etc/letsencrypt/live/mail.domain.com/cert.pem
ssl_key = </etc/letsencrypt/live/mail.domain.com/privkey.pem

Not working too

I gather that you are now configuring POP3S/IMAPS for Dovecot?

You should use fullchain.pem rather than cert.pem.

Please be more specific about what isn't working. Without your domain name or an exact error message, we can't help you.

Thanks for your response, yes this is dovecot. I well try and hope to work :slight_smile:
Really I appreciate your help.

This is the error when I run cronjob on my own Rukovoditel (ERP) server:
/usr/bin/php /var/www/portal.domain.com/public_html/cron/email_fetch.php

PHP Warning: imap_open(): Couldn't open stream {mail.domain.com:993/imap/ssl}INBOX in /var/www/portal.domain.com/public_html/plugins/ext/classes/mail/mail_fetcher.php on line 38
Certificate failure for mail.domain.com: self signed certificate: /CN=mail.domain.com

And I have just updated as you replied on my Mail server file /etc/dovecot/conf.d/10-ssl.conf as below:

Commented these two lines:
#ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
#ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key

Added these three lines:

Let's Encrypt certificate:

ssl_cert = </etc/letsencrypt/live/mail.domain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.domain.com/privkey.pem

Hope this help

The change you made looks correct, but I agree that your IMAPS server appears to still be using a self-signed certificate.

Did you restart the Dovecot service after making that configuration change?

No I restarted postfix. Let me try.

Restarted then run the cronjob again, and it say now:

PHP Warning: imap_open(): Couldn't open stream {mail.domain.com:993/imap/ssl}INBOX in /var/www/portal.domain.com/public_html/plugins/ext/classes/mail/mail_fetcher.php on line 38
Can not authenticate to IMAP server: [AUTHENTICATIONFAILED] Authentication failed.

That looks like a good result to me. Your Dovecot server is now serving the Let's Encrypt SSL certificate.

This is related to the username and password you are using to authenticate to IMAP in that PHP script.

I don't think it's related to your SSL issues.

Thank you. I well check it now.