Using LE with Postfix / Dovecot POP3 SSL


#1

Hello guys!

Yesterday I finished setting up my mail server and got a certificate from letsencrypt and replaced my self signed cert with it in dovecot’s and postfix configuration files and restarted them, and connected to it using openssl’s s_client and received the following verify error:

Verify return code: 21 (unable to verify the first certificate)

Then I set up it on my web server(https://mail.matalamaki.fi) and ta’dah, it works well, at least on chrome, but for some reason the same setup doesn’t work with my mail server, why is that?

my mail configurations:

File: /etc/dovecot/conf.d/10-ssl.conf

ssl_cert = </etc/letsencrypt/live/mail.matalamaki.fi/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.matalamaki.fi/privkey.pem

File: /etc/postfix/main.cf

smtpd_tls_cert_file=/etc/letsencrypt/live/mail.matalamaki.fi/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.matalamaki.fi/privkey.pem
smtpd_use_tls=yes

With self signed cert it signs it correctly, but it doesn’t work on gmail, which is the mail reason I need to get CA signed cert for my mail server too.

With the LE cert setup I am experiencing the same error from gmail too, when trying to add the pop3 inbox:

SSL error: unable to verify the first certificate


#2

Well, your configuration looks good… Very strange why Dovecot and Postfix don’t pick up the intermediate certificate.

What are the version numbers? Does the fullchain.pem really consist of two certs?


#3

I am running with

Postfix version: 2.11.3
Dovecot version: 2.2.13

And I checked fullchain.pem and unlike the guide assured, fullcerts.pem only consisted of 1 cert so that was quick fix…

After setting the fullcerts up with both certs and connecting on port 995 it just started working! Amazing! Thanks!


#4

Hello @ruuhkis,

Checking your site I only get this “error”:
verify error:num=20:unable to get local issuer certificate

But that is not really an error, it just says that it cannot verify the root issuer (DST Root CA X3) of your certificate because it is not included in the fullchain.pem which is fine as it should be in your trusted store.

If you don’t want to have that “error”, just add the path to your root certs (usually in /etc/ssl/certs/) in your openssl command:
openssl s_client -connect mail.matalamaki.fi:993 -CApath /etc/ssl/certs/

Before post this message I checked again your server and I can see that your are adding the root certificate in fullchain.pem.

Certificate chain
 0 s:/CN=mail.matalamaki.fi
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
 2 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
 3 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

So, remove what you have added to fullchain.pem (in that file you should only have your certificate and the intermediate certificate) and you’ll be fine ;-).

Cheers,
sahsanu


#5

Thanks taking your time to help me out!

I removed the extra certs from there as I was just trying if they were needed for gmail to recognize the cert, but apparently not!