Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): self signed certificate
So email is encrypted but the recipient domain is not verified
Cert Hostname DOES NOT VERIFY (mail.makalika.live != hwsrv-433937.hostwindsdns.com | DNS:hwsrv-433937.hostwindsdns.com)
So email is encrypted but the host is not verified
As I understood postfix tries to use my apache vhost certificate for makalika.live. I don't have entry in apache for mail.makalika.live only a A record on my DNS.
One thing that people running mail servers might not realize is that currently the Certbot software will attempt to configure your web server (like Apache) but not your mail server (like Postfix) with your new certificate if you use certbot --apache. The certificate is potentially valid for a mail server (if the mail server uses the same domain name as the web server), but you have to specifically configure the mail server to be aware of it.
I don't think the certificate on your mailserver is the issue here. That certificate would only be used for receiving e-mails, not for sending. Unless GMail tries to connect "back" to the sending e-mail server for checking, but I doubt that. (Because sending/receiving mailservers aren't always the same, so checking would be useless I recon.)
Thanks, that's a good point.
I think problems hides somewhere near this warning:
Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): self signed certificate
So email is encrypted but the recipient domain is not verified
Cert Hostname DOES NOT VERIFY (mail.makalika.live != hwsrv-433937.hostwindsdns.com | DNS:hwsrv-433937.hostwindsdns.com)
So email is encrypted but the host is not verified
Depends which problem you're refering to: the Gmail issue or just the warning?
Like I said, sending to Gmail isn't related to the certificate installed on your receiving SMTP-daemon.
Also, most MTAs actually wouldn't care less about self signed certificates. In the world of e-mail, actual valid certificates are not that common, so most mailservers in the process of sending mails don't even care.
In any case, it you do want a valid cert, there are a fee things to do:
your MX record has a mail subdomain, but your mailserver is configured with just the base domain. In a perfect word, those hostnames are the same.
if you want a certificate for your mail hostname for Postfix, you'll need to get a new certificate for it, as your current certificate doesn't cover that hostname
if you have the new cert, install it in Postfix and reload it.
I have did all the steps. I have created an empty mail.makalika.live vhost and generated certificate for it. I have following config:
TLS config:
# logging
smtpd_tls_loglevel = 1
# Allow use of TLS but make it optional
smtp_use_tls=yes
# Disable SSLv2/3 as they are vulnerable
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
# Insist on stronger ciphers
smtpd_tls_ciphers = high
smtp_tls_ciphers = high
# keys
smtp_tls_cert_file = /etc/letsencrypt/live/mail.makalika.live/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/mail.makalika.live/privkey.pem
rebooted postfix, and still cert didn't change. Maybe something wrong with DNS entry?
MX makalika.live 0 mail.makalika.live. 3600 A mail 104.168.159.214 3600