Letsencrypt Postfix & Dovecot on Iphone Mail Client


#1

Hi @all,

today my commodo certificates stopped working.

I installed certbot and now i am using letsencrypt with postfix & dovecot.

On my windows client - i am using thunderbird without problems.

But my iPhone told me “no valid certificate”.

Can I use letsencrypt certificates with my iPhone 7 on iOS 11.4 or is apple blocking this kind of certificate ?

Tnx


#2

Hi,

What server software are you using? (Are you using cPanel / WHM ?)

You could use it. the error might due to misconfiguration.


#3

How did you configure Postfix and Dovecot? Specially, which files did you use in those configurations?

Also, what is or are the host names in question, so we can see for ourselves?


#4

Hi,

the Host ist mail.deißner.de.

Now Thunderbird said: “no valid certificate” :frowning:

Postfix main.cf
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.xn–deiner-dta.de/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.xn–deiner-dta.de/privkey.pem

smtp_tls_cert_file=/etc/letsencrypt/live/mail.xn–deiner-dta.de/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/mail.xn–deiner-dta.de/privkey.pem

and Dovecot:

ssl = yes
ssl_cert = </etc/letsencrypt/live/mail.xn–deiner-dta.de/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.xn–deiner-dta.de/privkey.pem


#5

Both Postfix and Dovecot appear to be serving the Let’s Encrypt certificate + intermediate correctly.

My iPhone did not have a problem trying to talk to your POP3S or IMAPS services.

How do you have Thunderbird configured?

I wonder if this is a domain normalization problem. If you set the mail server to mail.xn--deiner-dta.de , does it work then?


#6

i used the idn-formatted hostname since 2013… :wink:


#7

My father is using Thunderbird on his Linux-Notebook - Thunderbird 52.8.0 (64-bit Version).

He got the Message from Thunderbird for Imap & SMTP Connection:

My mother is using Outlook-Express “Version 2012 (Build 16.4.3528.0331)” with SSL - she have no messages from Outlook Express.


#8

Did you also have the same error with your previous Comodo certificate, or did it simply expire normally?

I wonder if the version of iOS that you’re using might have updated in a way that created a new IDN-related bug that didn’t previously exist.


#9

No - no Problems with Commodo Certificate from PSW.de

In you want to - i am able to set up a new Server with a non idn Domain for Testing


#10

In the beginning of the thread you wrote

In what way did they stop working?


#11

The using Periode was over - i had to renew by paying to commodo


#12

I’m confused about what your previous setup was, because I don’t see any Comodo certificates logged at

https://crt.sh/?Identity=%.xn--deiner-dta.de

I only see the new Let’s Encrypt certificate and some mysteriously short-lived old StartCom wildcard certificates. I would expect Comodo to have logged the certificate if it had issued it recently.

Is it possible that your old certificate literally specified the Unicode form “mail.deißner.de”?


#13

The Commodo Certificate went from 21.6.2017 to 21.6.2018 - so i want to get the new certificate from letsencrypt.

Where do you see startcom-certificates ?


#14

I saw it - i tested Startcom 2 years ago…


#15

Oh dear - i am a bloody fool

i do not comment the lines:

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_CApath = /etc/ssl/certs/

in my postfix main.cf - i am so sorry :frowning:


#16

I’m glad to know that we and Apple don’t have a new bug related to the handling of IDNs! :world_map:


#17

It is an Apple Problem.

I deleted my Mail Account from my Iphone - restartet the Iphone and created the Account.

All is ok.

I think the Iphone is saving the certificate data somewhere - and if you get a new certificate - there is a problem.


#18

But i have an other Problem:

Is there a root-Certificate Missing?

I have debian 8.

https://de.ssl-tools.net/mailservers/mail.xn--deiner-dta.de


#19

Now it is a “COMODO RSA Domain Validation Secure Server CA” - Certificate. Not from Letsencrypt.

And it looks like your mailserver doesn’t found the root :frowning:


#20

It’s more likely the mailserver doesn’t send the required intermediate.