How to ensure a smooth transition to Let's Encrypt SSL Cert?

I do have Postix. And it does use an encrypted port (ports for POP3S, SMTPS etc.) and also I set Thunderbird Mail, so it would use encrypted port. But like I said, I think I created self-signed cert valid for like 10 years to use it with the mail. So what connection does it have with my old certificate I specifically obtained to use with Apache and HTTPS?

It needn’t have any connection, but you’re seeing weird symptoms, and if in fact for any reason Postfix is checking for those files you deleted that would explain those symptoms wouldn’t it? So might be a good time to check the Postfix config for any mention of the files you removed.

Like I said, Postfix uses other cert that I created. Moreover, Postfix does receive e-mail. If it weren’t then I wouldn’t be seeing new mail in web mail, would I?
I think it’s the Thunderbird Mail that causes this trouble.

Most incoming mail doesn’t use secure transport. You can still get e-mail even if you have a broken certificate since others won’t see it.

If you can provide some details on the server name, even privately, someone can look and see what you’re presenting for a certificate on IMAPS and SMTPS connections.

If you want to do this yourself, and have access to the openssl command, you can use a command like “openssl s_client -connect servername:port” to see the certificate chain presented.

Do you mean that even an expired cert might be good enough for receiving e-mail?

I ran that command on 995 and 465 ports and in both cases I got a whole bunch of cert related info. And also this:
Verify return code: 18 (self signed certificate)
So I’m assuming that my mail servers use my self-signed cert?
No surprise here. Though it still doesn’t help me to investigate why removing my other cert had that strange side effect on Thunderbird Mail’s ability to present me a login box and to receive mail. I never configured any of my mail servers to use that cert that expires in two days. So why removing it has any effect on receiving mail and being able to log in properly to be able to receive e-mails.

Most servers out there won't try to connect using TLS to deliver mail to your server. Some will, but will fall back to non-secure if the certificate is broken.

Not sure on your issue. I'm not good enough to diagnose remotely. Without seeing things directly, I honestly have no clue on why that is happening.

You can distinguish between SMTPS on port 465 and STARTTLS within SMTP on port 25. Most clients will not enforce certificate validity at all for STARTTLS, but will for SMTPS (if they’re using it).

STARTTLS is actually already supported by a majority of mailservers; I think there’s a more recent and more relevant study but one source of data on this is https://www.facebook.com/notes/protect-the-graph/the-current-state-of-smtp-starttls-deployment/1453015901605223

However, SMTPS will primarily be used for mail submission by MUAs running on individual users’ devices, while SMTP with optional STARTTLS will primarily be used for mail delivery between MTAs on different sites.

Thank you both for your replies!

schoen,
In Thunderbird Mail, in Server Setting there’s a drop-down menu and it’s chosen SSL/TLS by default. Though there’s also a STARTTLS option present. That means that my MUA does NOT use STARTTLS.
Also it’s set to connect on port 995. I’m talking about receiving. Sending was never an issue, so there’s no point even to discuss it here.

As of now, my old cert that I was using in Apache has expired. But I didn’t remove its files. Everything seems to be working, but the mystery remains unsolved. I still don’t understand why my MUA suddenly stopped showing a login box and receiving e-mails after I deleted my old expiring cert’s files. And also remember that both Postfix and Courier are configured to use my another cert (the self-signed one), which is valid, of course.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.