Ubuntu Apache Postfix SSL

Hello.
My domain - makalika.live
I have several sites there, but constantly having problems with mail deliver to gmail. After checking with this tool:

//email/testTo:

"CertDetail" I got following warning:

Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): self signed certificate
So email is encrypted but the recipient domain is not verified
Cert Hostname DOES NOT VERIFY (mail.makalika.live != hwsrv-433937.hostwindsdns.com | DNS:hwsrv-433937.hostwindsdns.com)
So email is encrypted but the host is not verified

As I understood postfix tries to use my apache vhost certificate for makalika.live. I don't have entry in apache for mail.makalika.live only a A record on my DNS.

I try to use following comamnd:

sudo letsencrypt certonly --standalone -d mail.makalika.live

But it fails because I have apache running on server using 80 port.

Could you please help me with it?

Postfix isn't configured to use your Let's Encrypt certificate.

$ openssl s_client -connect mail.makalika.live:25 -starttls smtp -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer
subject=CN = hwsrv-433937.hostwindsdns.com
issuer=CN = hwsrv-433937.hostwindsdns.com

You could configure it to use your Let's Encrypt certificate: Postfix TLS Support and then try again.

Well, you could either stop Apache, or use -a apache instead of --standalone.

You might need to make a simple VirtualHost for mail.makalika.live, if it doesn't exist:

<VirtualHost *:80>
  ServerName mail.makalika.live
  DocumentRoot /var/www/anywhere
</VirtualHost>
1 Like

One thing that people running mail servers might not realize is that currently the Certbot software will attempt to configure your web server (like Apache) but not your mail server (like Postfix) with your new certificate if you use certbot --apache. The certificate is potentially valid for a mail server (if the mail server uses the same domain name as the web server), but you have to specifically configure the mail server to be aware of it.

Hello,
Thanks for reply!

I'm confused on where does it takes 'hwsrv-433937.hostwindsdns.com'. I have changed it to 'server1.makalika.live':

cat /etc/hostname
server1.makalika.live
cat /etc/hosts
127.0.0.1 localhost
104.168.159.214 server1.makalika.live server1
104.168.159.214 makalika.live
104.168.159.214 www.makalika.live

I'll also try to add vhost for mail.makalika.com.

I configured postfix to use my domain certificate, but it seems not really changed anything:

smtpd_tls_loglevel = 1

Allow use of TLS but make it optional

smtp_use_tls=yes

Disable SSLv2/3 as they are vulnerable

smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3

Insist on stronger ciphers

smtpd_tls_ciphers = high
smtp_tls_ciphers = high

keys

smtp_tls_cert_file = /etc/letsencrypt/live/makalika.live/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/makalika.live/privkey.pem

Doesn’t seem like your Postfix configuration took effect. Did you rebuild the config and restart Postfix?

The hostwindsdns is the actual certificate being served by Postfix.

Are you sure Postfix is listening on 25?

sudo ss -tlnp | grep -E ":25"

Hello, here is log:
sudo ss -tlnp | grep -E ":25"
LISTEN 0 100 0.0.0.0:25 0.0.0.0:* users:(("master",pid=26452,fd=13))
LISTEN 0 100 [::]:25 [::]:* users:(("master",pid=26452,fd=14))

I don't think the certificate on your mailserver is the issue here. That certificate would only be used for receiving e-mails, not for sending. Unless GMail tries to connect "back" to the sending e-mail server for checking, but I doubt that. (Because sending/receiving mailservers aren't always the same, so checking would be useless I recon.)

Thanks, that's a good point.
I think problems hides somewhere near this warning:

Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): self signed certificate
So email is encrypted but the recipient domain is not verified
Cert Hostname DOES NOT VERIFY (mail.makalika.live != hwsrv-433937.hostwindsdns.com | DNS:hwsrv-433937.hostwindsdns.com)
So email is encrypted but the host is not verified

Depends which problem you're refering to: the Gmail issue or just the warning?

Like I said, sending to Gmail isn't related to the certificate installed on your receiving SMTP-daemon.

Also, most MTAs actually wouldn't care less about self signed certificates. In the world of e-mail, actual valid certificates are not that common, so most mailservers in the process of sending mails don't even care.

In any case, it you do want a valid cert, there are a fee things to do:

  1. your MX record has a mail subdomain, but your mailserver is configured with just the base domain. In a perfect word, those hostnames are the same.
  2. if you want a certificate for your mail hostname for Postfix, you'll need to get a new certificate for it, as your current certificate doesn't cover that hostname
  3. if you have the new cert, install it in Postfix and reload it.

@Osiris Hello, thanks!

I have did all the steps. I have created an empty mail.makalika.live vhost and generated certificate for it. I have following config:

TLS config:

# logging
smtpd_tls_loglevel = 1
# Allow use of TLS but make it optional
smtp_use_tls=yes
# Disable SSLv2/3 as they are vulnerable
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
# Insist on stronger ciphers
smtpd_tls_ciphers = high
smtp_tls_ciphers = high
# keys
smtp_tls_cert_file = /etc/letsencrypt/live/mail.makalika.live/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/mail.makalika.live/privkey.pem

rebooted postfix, and still cert didn't change. Maybe something wrong with DNS entry?

MX makalika.live 0 mail.makalika.live. 3600
A mail 104.168.159.214 3600

Those should be smtpd, as it is the SMTP daemon (i.e., server), you want the certificate for.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.