Lets encrypt SSL mail certificate problem with Gmail webmail

oquidave · January 31, 2016, 11:59am

Hello,

I've setup SSL certificates for my Postfix mail server using Lets encrypt.

However, am having a problem setting up Pop3s on Gmail so that users can view and send email from Gmail web client.

Gmail gives the error; "There was a problem connecting to mail.hataricloud.com
Server returned error: "Connection timed out: There may be a problem with the settings you added. Please contact your other email provider to verify the correct server name and port.".

Gmail says For a certificate to be valid it needs to chain up to a valid CA, which I believe Lets encrypt is valid one. What could be the problem. I've been trying to resolve this for weeks. Thanks alot.

dovecot configuration
/etc/dovecot/dovecot.conf

ssl_protocols = !SSLv2 !SSLv3
ssl = required
verbose_ssl = no
ssl_cert = </etc/letsencrypt/live/mail.hataricloud.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.hataricloud.com/privkey.pem

postfix configuration
etc/postfix/main.cf

TLS parameters
smtpd_tls_CAfile = /etc/letsencrypt/live/mail.hataricloud.com/chain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.hataricloud.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.hataricloud.com/cert.pem

Testing SSL certificate.
It looks okay.

root@mail /e/l/l/mail.hataricloud.com# openssl s_client -connect mail.hataricloud.com:995 -verify 9 -CApath /etc/letsencrypt/live/mail.hataricloud.com

verify depth is 9
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
verify return:1
depth=0 CN = mail.hataricloud.com
verify return:1

Certificate chain
0 s:/CN=mail.hataricloud.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Server certificate
-----BEGIN CERTIFICATE-----
MIIFDDCCA/SgAwIBAgISAYT6Dlz1AJ7mYJt7p61I0ez3MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNjAxMTExNzI1MDBaFw0x
NjA0MTAxNzI1MDBaMB8xHTAbBgNVBAMTFG1haWwuaGF0YXJpY2xvdWQuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy1SHp8u//eDUhAk7lgeh31ac
+gdBdJGsrkdPy/6bG+UWPckpsbIV1bMgyp0pInzuZR6iqhQQIcKov9jZ5W4k9zH0
yHlDLqZ9XggekxYH8FHMU610Onej+4C35HVwf7XQ5wnjt1teWQWReemfUWkAT5vY
bN56FbjF6xkRHVcul82xCnO5b4ManhLS3DAo/hOiZhHWoJmmhh5FeO35a8FOSHb/
5K74gJfypq7R1Zg3RA3RQCQUL0RYRg2fsBz7/88ktGroDFCWHdepTpphTldYtsVF
lotlztBdafvaQteGiLySkgzaR0qA3krRKNXEYdqYUgU85CKuNoyffXptjlz72QID
AQABo4ICFTCCAhEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSSxH6UXpbPCF4kimEV
tv3hnTb5HjAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBwBggrBgEF
BQcBAQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmludC14MS5sZXRzZW5j
cnlwdC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDEubGV0c2Vu
Y3J5cHQub3JnLzAfBgNVHREEGDAWghRtYWlsLmhhdGFyaWNsb3VkLmNvbTCB/gYD
VR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUH
AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyB
m1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVs
eWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2Vy
dGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3Jn
L3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBdezNRDuDwXM2PPciRwQTv
SHqnC8w9ckGH188yRztMKvHoG3vXA/4JrEC17sYH+DR9rESOdLBtwMxvZvxKUNU6
pLQ23wEVOOSEKn41RZ6P9vxWzJUK6MfSR+1eqw7cUW5ADsBuQjrw48V0SsHoKiX2
ktxVrTOjaXO6EeS5EDBdqxgfqFD4wl2uEeIp0f9B53Huu9Lt+h4Xl+DLfOchehD1
1QfXLF08/EN8ChYa38GVeTJFRuA2f9RmXz246Q7IDwIzv/RJ+RBEXWCpRVWUmntM
9CK8mCgkPpZdVe9vupZ3X1ox90v3oYxQAGMR3sou61NOilIIcnDkA1AQh4RBYlo+
-----END CERTIFICATE-----
subject=/CN=mail.hataricloud.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1

No client certificate CA names sent

SSL handshake has read 3186 bytes and written 453 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: A6DCE04CCEFB10CCC3E918C6F5FF1C4F148818BA4C29D24DE5A8813D0E8DEC9E
Session-ID-ctx:
Master-Key: 0519CB4C8434A6B00C30E5F20F4534C9583672BB827C4B334D6B94E834EFAC3FDFB155AE29988DB074270B6E4AD663A3
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - ad b0 7d 9d 17 a9 76 8f-fc c4 ca fb 60 4f 7a ca ..}...v.....`Oz.
0010 - 94 af f6 f5 fd 73 c0 46-8b c1 a3 3f 8d b4 67 30 .....s.F...?..g0
0020 - 4f eb 0c 98 0e 3c 3e 18-d1 af 6d f0 39 78 9a ba O....<>...m.9x..
0030 - 33 6c 28 c2 8e 63 34 02-62 0f dd 9c 03 b0 15 4b 3l(..c4.b......K
0040 - e6 0f a4 de 02 1b 10 92-eb eb a8 aa e2 15 ec 0b ................
0050 - 64 13 72 7b 5d 3a 5c 22-1e cc 81 67 80 b9 52 5d d.r{]:"...g..R]
0060 - 44 57 25 da db ab 6c ec-1d 88 95 6c b8 cc cc 6a DW%...l....l...j
0070 - c9 6d c9 4b 68 51 f7 2f-5b 7b c8 c5 b4 5c da c7 .m.KhQ./[{.....
0080 - 76 a1 67 70 80 25 19 5b-85 5a e2 f3 a9 6f a9 30 v.gp.%.[.Z...o.0
0090 - 27 4b 07 8a 73 9a b5 de-95 dd 2e d0 66 1c d8 44 'K..s.......f..D

Start Time: 1454240037
Timeout : 300 (sec)
Verify return code: 0 (ok)

+OK Dovecot (Ubuntu) ready.

Osiris · January 31, 2016, 1:13pm

POP3 and IMAP seem to be configured properly for TLS… With such a vague error message from GMail, I’ve got no clue where to proceed from this…

Unless GMail also checks the SMTP ports: your Postfix isn’t configured properly. It doesn’t serve the intermediate certificate. You should delete the smtpd_tls_CAfile directive (unless you’re using client certificate verification, which is unlikely) and point smtpd_tls_cert_file to fullchain.pem.

tlussnig · January 31, 2016, 1:20pm

Connection timed out is normally an indication for tcp error.
But another issue could be an problem with the random generator it it take to long to get good random numbers.

oquidave · January 31, 2016, 2:57pm

@Osiris I’ve made the changes but still am getting the same problem.

Meanwhile the Gmail mobile App works just fine with these SSL certificates without trouble!!

Osiris · January 31, 2016, 3:06pm

Yes, Postfix works correct now Too bad it didn't solve your problem with GMail apparently..

Hellsy · March 10, 2016, 11:42am

I changed dovecot’s ssl_cert to fullchain.pem and gmail accepted it.
Is it correct solution?

pqangel · March 10, 2016, 7:50pm

yes, fullchain.pem has all the “authorities” to validate the certificate. fullchain is the one you should use.

joselo · January 19, 2018, 2:22pm

Hey Guys

I had the same problem and I solved it with this instructions:

Btw I’m using the docker version

https://github.com/mailcow/mailcow-dockerized/issues/156

Lets encrypt SSL mail certificate problem with Gmail webmail

verify depth is 9 CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1 verify return:1 depth=0 CN = mail.hataricloud.com verify return:1

Certificate chain 0 s:/CN=mail.hataricloud.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1 i:/O=Digital Signature Trust Co./CN=DST Root CA X3

No client certificate CA names sent

SSL handshake has read 3186 bytes and written 453 bytes

Start Time: 1454240037 Timeout : 300 (sec) Verify return code: 0 (ok)

verify depth is 9
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
verify return:1
depth=0 CN = mail.hataricloud.com
verify return:1

Certificate chain
0 s:/CN=mail.hataricloud.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Start Time: 1454240037
Timeout : 300 (sec)
Verify return code: 0 (ok)