Hi,
Please help me with this: I’m securing our mail server with letsencrypt SSL and multidomain. Recently, I renewed the SSL using certbot but outlook started to warn about SSL.
I have tried all domains in the SSL and also the real FQDN of the server. All attempts make outlook complain on the SSL.
Any ideas please?
The mail server is mail1.tech-works.me. I have other domain aliases: mail.rigid-parts.com, mail.swas-sa.com and more.
If you are going to do ssl test, I have done some security modifications on Dovecot and postfix. So ssl testing for sure will give you some kind of errors. But even before my security changes, Outlook was complaining on ssl.
Your Dovecot configuration is using a self-signed certificate different from the Let’s Encrypt certificate that was created by Certbot. If you look at the Dovecot configuration, you should find that it’s referring to something other than the files in /etc/letsencrypt/live.
I think I have this part covered. Below is the dovecot config file at /etc/dovecot/conf.d/10-ssl.conf:
SSL settings
SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required
PEM encoded X.509 SSL/TLS certificate and private key. They’re opened before
dropping root privileges, so keep the key file unreadable by anyone but
root. Included doc/mkcert.sh can be used to easily generate self-signed
certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/letsencrypt/live/mail.tech-works.me/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.tech-works.me/privkey.pem
If key file is password protected, give the password here. Alternatively
give it when starting dovecot with -p parameter. Since this file is often
world-readable, you may want to place this setting instead to a different
root owned 0600 file by using ssl_key_password = <path.
ssl_key_password =
PEM encoded trusted certificate authority. Set this only if you intend to use
ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
ssl_ca =
Require that CRL check succeeds for client certificates.
ssl_require_crl = yes
Directory and/or file for trusted SSL CA certificates. These are used only
when Dovecot needs to act as an SSL client (e.g. imapc backend). The
directory is usually /etc/ssl/certs in Debian-based systems and the file is
/etc/pki/tls/cert.pem in RedHat-based systems.
ssl_client_ca_dir =
ssl_client_ca_file =
Request client to send a certificate. If you also want to require it, set
auth_ssl_require_client_cert=yes in auth section.
ssl_verify_client_cert = no
Which field from certificate to use for username. commonName and
x500UniqueIdentifier are the usual choices. You’ll also need to set
auth_ssl_username_from_cert=yes.
ssl_cert_username_field = commonName
DH parameters length to use.
ssl_dh_parameters_length = 1024
SSL protocols to use
ssl_protocols = !SSLv2 !SSLv3
SSL ciphers to use
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
Prefer the server’s order of ciphers over client’s.
ssl_prefer_server_ciphers = no
SSL crypto device to use, for valid values run “openssl engine”
ssl_crypto_device =
Hmmm, that’s strange! Do you have any kind of proxy in between Dovecot and the Internet?
If you run openssl x509 -text -noout -in /etc/letsencrypt/live/mail.tech-works.me/fullchain.pem, does it confirm that this is the certificate issued by Let’s Encrypt?
no proxy at all. I did run the command, here you go:
Subject: CN=mail.tech-works.me
X509v3 Subject Alternative Name:
DNS:mail.abchami.com, DNS:mail.alju.com.sa, DNS:mail.alnafitha.sa, DNS:mail.auto-works.cc, DNS:mail.rigid-parts.com, DNS:mail.swas-sa.com, DNS:mail.tech-works.me, DNS:mail1.tech-works.me
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Validity
Not Before: Apr 23 16:31:26 2019 GMT
Not After : Jul 22 16:31:26 2019 GMT
Subject: CN=mail.tech-works.me
Using
openssl s_client -connect mail1.tech-works.me:110 -starttls pop3
there is the self signed certificate.
depth=0 C = SA, ST = Jeddah, L = Jeddah, O = Tech Works, CN = mail1.tech-works.me, emailAddress = marwan@tech-works.me
verify error:num=18:self signed certificate
Same with
openssl s_client -connect mail1.tech-works.me:995
Is it possible to find the files of that certificate?
can you please tell me where is it? I’m lost. Below is postfix config:
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
#smtpd_tls_cert_file = /etc/postfix/smtpd.cert
#smtpd_tls_key_file = /etc/postfix/smtpd.key
#smtpd_tls_cert_file = /etc/ssl/private/fullchain.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.domain.tld/fullchain.pem
#smtpd_tls_key_file = /etc/ssl/private/privkey.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.domain.tld/privkey.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mail.domain.tld/chain.pem
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:{data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:{data_directory}/smtp_scache
readme_directory = /usr/share/doc/postfix
#smtpd_tls_cert_file = /etc/postfix/smtpd.cert
#smtpd_tls_key_file = /etc/postfix/smtpd.key
#smtpd_tls_cert_file = /etc/ssl/private/fullchain.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.domain.tld/fullchain.pem
#smtpd_tls_key_file = /etc/ssl/private/privkey.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.domain.tld/privkey.pem
smtpd_tls_CAfile = /etc/postfix/cert//etc/letsencrypt/live/mail.domain.tld/chain.pem
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:{data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:{data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail1.domain.tld
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = mail1.domain.tld, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfi$
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
GNU nano 2.5.3 File: /etc/postfix/main.cf
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail1.domain.tld
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = mail1.domain.tld, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfi$
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postf$
smtpd_tls_security_level = may
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps virtu
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check$
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
virtual_mailbox_base = /var/vmail
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postf$
smtpd_tls_security_level = may
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps virtu
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check$
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = dovecot
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
smtp_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
message_size_limit = 0
smtpd_milters = inet:127.0.0.1:12345
milter_connect_macros = j {daemon_name} {client_connections} {client_addr} {client_ptr} v
virtual_transport = dovecot
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
smtp_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
message_size_limit = 0
smtpd_milters = inet:127.0.0.1:12345
milter_connect_macros = j {daemon_name} {client_connections} {client_addr} {client_ptr} v
milter_default_action = accept
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostn$
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
I think all what is related to self signed SSLs is commented out. What do you think?
Did you restart Dovecot?
yes. Many times. I’m really lost.
Perhaps there is another config file.
Or you have a second installation.
Nope. this is installed and managed by ispconfig.
Are there options to configure that? If not, it may be impossible.
Or ask your ISP.
I’m the one who installed ispconfig CP. So I’m sure there is not other installation. Did you notice anything unusual on the config files?
Maybe check if this path is referenced in any other active configuration file:
sudo grep -r /etc/ssl/private /etc
I think both Postfix and Dovecot are not serving the CA certificates. I see even Thunderbird says: Couldn’t verify the server certificate. Which means only the server cert was delivered. Not the CA nor the full chain.
Any suggestions?
