Outlook 2007 fail to see Letsencrypt certificate


#1

My Ubuntu 18 server has iRedMail and hosts email for a few domains. My server mail.abc.com generated a Self Signed Certificate (10 years) On top I also generated a Letsencrypt certificate for this server FQDN. In addition my hosted email domains (mail.def.com and mail.xyz.com) also have certificates from Letsencrypt for Nginx. When I try to connect Outlook 2007 to these domains to access email, alert is raised that mail.abc.com is not from a trusted source as it can’t be verified. The details shown at this stage are of Self Signed Certificate.
What do I have to change to make the Outlook see the Letsencrypt issued certificate!
Thanks for the guidance.
Aurum


#2

Hi @Aurum,

Please tell us your server’s real domain name.

Also, how did you generate your Let’s Encrypt certificate, and how did you then install it on your server?


#3

Hello @schoen
Real domain name : mail.aurumhosts.com
Instruction Used: certbot-auto --nginx -d mail.aurumhosts.com
It has created files in the etc/letsencrypt/…


#4

Thanks @Aurum.

So, two things about your situation:

First, I’m not sure that the Certbot command you ran successfully issued your certificates! If it had, we should be able to see them at

https://crt.sh/?Identity=mail.aurumhosts.com&iCAID=16418

unless you issued them only a few minutes ago. But I don’t see anything there and so I think the issuance might not have been successful. Do you remember what the output from the Certbot command was? Did it say “Congratulations” and tell you where to find the certificates? (You can also check in /var/log/letsencrypt for more details about the outcome.)

Currently when I connect to your server via HTTPS, I see that it seems to be running LiteSpeed, not nginx. Are you sure that this server is running nginx and that nginx can receive incoming connections on port 80? That would normally be necessary in order for the certbot-auto --nginx -d mail.aurumhosts.com command to work.

Certbot will always create some files in /etc/letsencrypt, but the important ones that will only exist when a certificate has been successfully created will be in /etc/letsencrypt/live—do you have those?

Second, although I don’t think this is the most important problem yet, when you’re running multiple Internet services on a single machine (for example, an HTTPS service and an IMAPS service), each one can have its own separate certificate configuration. Right now your machine does listen for HTTPS on port 443 and IMAPS on port 993, and those are probably different software applications that will have to be separately configured. Unfortunately, Certbot’s --nginx currently only configures nginx which will, when it works, make your web service work properly with HTTPS from a browser.

Currently Certbot does not configure other software like Dovecot, which would be necessary to make IMAPS services work for a mail client.

https://docs.iredmail.org/used.components.html

Probably using Let’s Encrypt certificates on your iRedMail system will require some manual configuration of Postfix and Dovecot, at least, in order to make use of your Let’s Encrypt certificates for e-mail purposes. We’re still working on providing a way for Certbot to do this automatically. (Perhaps the iRedMail developers have already integrated an option to automate this process? It seems like it would be a commonly-requested feature for their users.)


#5

Hi @schoen,
My apology, the server is mailex.aurumhosts.com. Yes when installed it did Congratulate and I see all the 4 files in the /etc/letsencrypt/live folder.
Regarding the second part, yes could be the case - what would you suggest me to do to avoid Outlook message where I am using only pop3/smtp protocols over SSL.


#6

Oh, OK! It looks like only the 2nd part of my post is relevant, and I think it does explain the problem. Certbot currently doesn’t know how to install certificates into Dovecot and Postfix. However, you can use the same certificate simultaneously for nginx, Dovecot, Postfix, and other software.

Basically, you’ll have to edit the Dovecot and Postfix configuration files to point them at the files in /etc/letsencrypt/live instead of the self-signed certificate. You should be able to find documentation online about how to do that if you find it unintuitive, or perhaps iRedMail has some related documentation available. It’s also possible that iRedMail has a control panel to allow you to choose the location of existing files on the filesystem to be used as the certificate and private key for Dovecot and Postfix, but I’m not familiar with iRedMail so I don’t know whether that’s the case.


#7

Hi @schoen,
Thank you for the guidance. Sure I’ll dig it out further within your given guideline.
Cheers.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.