Hello,
i’ve installed postfix and dovecot on my v-server. Now i want to secure the mail servers and generated a letsenrypt certficate.
The certificates are added to the config-files and the IMAP-client like outlook get it.
But everytime I open a connection from the client to the server outlook says the certificate is not secure, because it’s selfhosted.
How can i prevent that?
Please either show the public cert file or give the FQDN and port it is served from.
Is it possible that you simply forgot to reload or restart the Postfix and Dovecot services after changing their configuration?
Postfix isn’t sending the intermediate certificate. Can you post the Postfix TLS configuration?
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_security_level = may
#smtpd_tls_cert_file = /etc/ssl/server/v22017103285354056.luckysrv.de.pem
#smtpd_tls_key_file = $smtpd_tls_cert_file
#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtpd_tls_loglevel = 1
#smtpd_tls_received_header = yes
smtpd_tls_cert_file= /etc/ssl/froxlor-custom/patchfox.de.crt
smtpd_tls_key_file= /etc/ssl/froxlor-custom/patchfox.de.key
smtpd_tls_loglevel=1
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Where does /etc/ssl/froxlor-custom/patchfox.de.crt come from? Which client did you use?
This certificate comes from the froxlor webpanel. Its a admin panel for webspaces, which has a letsenrypt function included.
But before I add this certificate in the config file, I build and used a certificate with a standalone creator from github.
Here’s the code:
certbot certonly --standalone -d Domain-Name
please show the files in /etc/ssl/froxlor-custom/ folder.
maybe there is one that has the cert with the chain.
searching the Internet I found the following which may be helpful
(your config shows the CAfile remmed out):
Postfix:
smtpd_tls_cert_file = /etc/ssl/froxor-custom/mail.xxx.crt
smtpd_tls_key_file = /etc/ssl/froxlor-custom/mail.xxx.key
smtpd_tls_CAfile = /etc/ssl/froxlor-custom/mail.xxx_CA.pem
Dovecot:
ssl_cert = /etc/ssl/froxor-custom/mail.xxx.crt
ssl_key = /etc/ssl/froxlor-custom/mail.xxx.key
ssl_ca = /etc/ssl/froxlor-custom/mail.xxx_CA.pem
@rg305 The “CA” files you mention are for client certificate authentication. While sometimes it actually does work, using those variables, they are not meant for sending the intermediate certificate.
Postfix and Dovecot expect a single file as “cert file” with the end leave certificate followed by the intermediate certificate.
@Osiris So, what I have to do now? I got this files from the generators:
xxx.crt
xxx.key
xxx_Ca.pem
xxx_chain.pem
Check if xxx_chain.pem contains xxx.crt as wel as xxx_Ca.pem and if it does, use xxx_chain.pem as smtpd_tls_cert_file.
And do a postfix reload before you test it 
@Osiris No, the xxx_chain.pem only contains the xxx._CA.pem
But i checked the files in the other directory (which i created with the standalone creator).
The fullchain.pem contains cert.pem and the chain.pem.
I tested both, (fullchain.pem and chain.pem for smtpd_tls_cert_file) but the warning still pops up.
smtpd_tls_cert_file= /etc/letsencrypt/live/patchfox.de/fullchain.pem
smtpd_tls_key_file= /etc/letsencrypt/live/patchfox.de/privkey.pem
So they are actually the same file? That's strange..
Using fullchain.pem and reloading Postfix should work.. The chain is good now anyway:
Certificate chain
0 s:/CN=patchfox.de
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
OpenSSL doesn't complain any longer, says it's a valid connection.
Can you post a screenshot of the current error?
Sorry, it’s in german but i can translate it, if you need.
The error “Der Zielprinzipalname ist falsch.” makes me think it has something to do with the FQDN in the certificate (patchfox.de) which isn’t recognised.
Do you use patchfox.de as the server or do you use an other hostname in Outlook?
Hi @nintox,
Now, your chain is ok for postfix and dovecot:
$ echo | openssl s_client -starttls imap -connect patchfox.de:143 2>/dev/null -servername patchfox.de | awk '/Certificate chain/,/---/'
Certificate chain
0 s:/CN=patchfox.de
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
$ echo | openssl s_client -starttls smtp -connect patchfox.de:25 2>/dev/null | awk '/Certificate chain/,/---/'
Certificate chain
0 s:/CN=patchfox.de
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
As far as I can see, your Outlook “problem” is this (sorry, screenshot is in Spanish):
And that means that you left Outlook to autodiscover the right conf to connect to your smtp and imap server, so it tries to connect to https://autodiscover.patchfox.de to get that info and the certificate received is a self-signed certificate:
$ echo | openssl s_client -connect autodiscover.patchfox.de:443 -servername autodiscover.patchfox.de | openssl x509 -noout -text
depth=0 C = DE, ST = BAWUE, L = STR, O = PATCHFOX, OU = IT, CN = PATCHFOX, emailAddress = mario.schuetzle@outlook.de
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = BAWUE, L = STR, O = PATCHFOX, OU = IT, CN = PATCHFOX, emailAddress = mario.schuetzle@outlook.de
verify return:1
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
ff:f6:4f:2d:71:30:4a:2d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, ST=BAWUE, L=STR, O=PATCHFOX, OU=IT, CN=PATCHFOX/emailAddress=mario.schuetzle@outlook.de
Validity
Not Before: Oct 10 17:05:41 2017 GMT
Not After : Oct 10 17:05:41 2018 GMT
Subject: C=DE, ST=BAWUE, L=STR, O=PATCHFOX, OU=IT, CN=PATCHFOX/emailAddress=mario.schuetzle@outlook.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ec:10:34:8c:87:f6:f2:06:3f:cf:b2:97:76:de:
af:27:ce:9d:c4:0b:e3:62:ce:7c:db:61:e1:23:e2:
a1:8b:df:aa:e4:e1:07:50:66:23:30:8c:b2:78:da:
7b:a9:ca:e9:32:65:36:b7:e7:92:66:4d:f3:7c:a4:
df:66:b7:3a:a5:35:ce:0f:21:a2:83:05:33:84:6f:
d7:e2:40:28:9e:29:4e:a7:22:b7:a5:5a:1b:cd:2f:
0e:20:cd:22:93:fd:4d:3b:0c:07:81:31:6a:98:bc:
83:f4:80:f7:ba:34:b3:d7:a5:05:07:19:52:52:8a:
b9:81:94:5d:9d:b4:f2:74:c3:66:98:c6:a5:e9:09:
7b:24:44:6f:9e:aa:f2:40:f5:fa:ee:be:0b:db:bf:
02:2b:4d:c5:93:b5:ff:0f:84:a6:6d:4d:3b:0a:c2:
2e:7a:67:6a:fa:22:8c:e9:1d:7c:e9:ab:e1:1b:5d:
d1:df:cd:48:06:15:07:68:e3:b7:34:c1:8e:48:73:
c3:5c:f4:d9:33:f9:6f:29:8a:a8:26:4c:cb:00:87:
13:fe:5c:49:fb:65:27:4f:54:21:82:c0:e8:c4:21:
f5:c8:40:f2:b5:54:33:78:37:9e:5a:a3:9d:af:20:
b6:e2:ea:16:dd:2f:ba:9c:67:27:17:e0:b9:ea:f0:
bb:09:ed:d6:f0:b0:07:0a:2d:b6:45:40:9c:96:ff:
5e:a0:2b:43:ca:2d:1d:41:b3:0a:4e:e7:23:cb:92:
da:41:0a:3a:59:02:bb:10:65:6e:04:97:ec:13:e6:
26:fc:df:34:56:f9:70:1b:49:3f:63:b9:2c:e2:56:
a0:bc:11:64:c1:04:c5:a3:4b:1f:be:a7:5a:58:31:
a3:5a:f5:35:a4:3d:9d:3e:5b:e5:57:0e:6d:c4:2b:
6d:a2:ec:08:ed:32:3b:d5:22:ee:9a:cb:97:71:b6:
f8:32:74:d6:c3:18:a5:e7:30:d8:37:b6:25:c8:41:
5c:fd:f4:87:29:ef:5e:9b:ca:54:18:73:f6:40:68:
d1:91:34:9a:4e:0b:cd:ac:e3:c8:c4:62:26:52:f5:
14:01:24:46:a7:c4:a9:a4:ff:ce:2b:7f:ef:ce:ff:
cc:ae:28:f3:69:a9:ec:97:e2:ca:a8:8b:27:2e:a0:
03:84:78:d4:76:62:9b:f3:c4:5d:46:dc:b8:78:3d:
4f:55:7b:76:e7:dd:9d:31:0d:7b:7e:f2:63:4c:28:
ac:fa:22:03:19:1e:28:70:df:bb:47:f5:25:f7:92:
8b:44:81:ae:06:6c:ca:ea:9c:9e:a8:d6:ba:5c:fb:
3c:9c:6f:45:ae:f9:a1:41:17:ae:04:18:4e:95:db:
0f:6c:2d
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
6f:83:d8:cd:a4:ee:2a:33:a9:54:37:3d:77:aa:18:71:e3:b8:
f2:1d:f9:32:f9:51:ec:c7:9f:0f:03:ce:93:31:68:0d:5f:d9:
eb:12:97:47:5f:86:79:75:5d:30:1d:00:47:de:5f:31:d5:db:
b9:fc:46:09:b9:88:d0:1b:4f:c6:51:d6:02:61:a4:4b:6e:8b:
93:6d:ff:97:74:e2:f0:3b:35:92:63:2c:33:09:b5:be:28:9b:
94:97:5c:8c:7b:7a:15:26:fc:7e:18:0d:0a:dc:d6:c7:65:73:
8e:2a:3c:5f:df:d3:15:46:75:fd:22:5f:95:4f:37:12:7c:ec:
e9:c3:5c:ee:b0:a3:ab:12:5e:45:d0:bf:8c:74:fd:b8:25:0c:
bc:37:a9:6a:db:50:3e:b9:9e:d8:d9:4b:6e:8d:af:df:f1:46:
d5:53:f7:d3:b7:e4:9c:25:a8:fc:1b:89:ad:0f:b4:e0:98:2c:
9c:d0:2d:ee:03:cf:e1:cc:7b:96:10:7f:dc:a8:d6:27:da:c4:
c4:09:98:ce:2d:1b:c7:b2:67:62:7f:72:99:ac:82:93:55:69:
2f:e9:de:3b:d1:a2:b6:9d:dc:86:9a:98:01:d6:a5:e5:68:ba:
e0:e0:8e:ea:66:24:87:1e:23:d6:6f:57:04:a8:c3:d9:76:bb:
16:e5:11:19:37:36:2c:01:87:63:66:26:90:46:51:93:fa:ab:
61:a2:5a:b8:7f:cb:64:5b:ca:9b:42:6c:79:9e:cf:00:03:f1:
b6:28:bc:c7:06:cb:84:4b:7a:d9:ea:21:a5:f6:f9:ef:cb:05:
b9:4b:6f:b9:0a:a9:89:af:79:d7:84:6b:a3:02:4a:84:f4:0e:
e2:13:f0:52:a5:00:0f:fb:b9:95:95:50:3e:27:28:bf:35:06:
9b:62:d3:cb:45:0a:3d:a0:07:58:f7:0c:1c:3c:d2:6e:a8:61:
6d:3c:ef:c6:6a:da:77:fb:8d:63:69:8c:ea:bb:8d:42:2a:b4:
73:e9:4e:92:d1:b4:94:58:d6:e0:d3:1e:2b:d4:95:6e:e0:e9:
31:94:f8:89:89:fd:91:48:2f:56:d3:14:7e:44:28:16:07:c9:
8d:90:ed:31:33:4e:81:36:d0:de:a1:5e:86:1d:1a:c8:9e:83:
a5:92:8e:a1:d7:99:a4:fd:a1:92:76:f7:32:f3:19:1e:ec:be:
c6:f5:ac:f4:2d:f3:bc:42:2b:7d:ee:62:d6:59:e4:bf:d2:0d:
51:22:c4:53:c1:89:13:e2:be:97:a1:18:4c:3b:fa:d2:0e:47:
2c:79:e8:5c:58:25:aa:32:43:92:ba:7d:7a:00:8a:1a:a8:2a:
f0:99:2a:aa:37:34:8a:4e
DONE
Conclusion, don’t let Outlook autodiscover the conf, fill it on your own.
Good luck,
sahsanu
Great, job!
That it could be.
Do you know how i can I disallow outlook to do autodiscovery.
You mean to fill the imap config of outlook on my own?
EDIT:
I fill it on my own and it works. No warning pops up anymore.
Cool… @sahsanu big thanks to you!
@nintox Do note however, when you use the certificates which were issued through certbot, you’ll have to use certbot to renew the certificates within 90 days too.
This can be as simpel as running certbot renew and postfix reload in a (daily) cronjob. Check out the certbot documentation on how to envoke the postfix reload bit with one of the “hooks” available in certbot. That way you’d only have to put the certbot command in a cronjob with the Postfix reloading bit on the certbot command line of that cronjob.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.