thr3ads.net - dovecot - Certificate and showing a sign-cert not there [Feb 2022]

If this information is useful, please help other people find it:
Share via:

justina colmena ~biz

2022-Feb-08 19:44 UTC

Certificate and showing a sign-cert not there

In general:

Lots of mail servers out in the wild do not require TLS or even bother to
verifying TLS certificates when connecting to a remote server on port 25.

However, desktop and mobile email *clients* tend to be much stricter about
verifying server certificates when connecting via SSL or TLS, mainly to protect
user passwords.

Sometimes the server certificate needs to be presented with a "full
chain" appended to it for verification. That has been an issue before when
I've used some certs, particularly StartSSL before Letsencrypt started
offering free certs.

On February 8, 2022 5:53:34 AM AKST, Wayne Spivak <WSpivak at
SBANetWeb.com> wrote:>Hi -
>
> 
>
>I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).
>
> 
>
>I have a multi-signed cert from Entrust.
>
> 
>
>The cert works fine on port 25.
>
> 
>
>However, on Port 587 I get an error: c
>
> 
>
>[root at mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993
-servername
>mcq.sbanetweb.com
>
>CONNECTED(00000003)
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN
>mcq.sbanetweb.com
>
>verify error:num=20:unable to get local issuer certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN
>mcq.sbanetweb.com
>
>verify error:num=21:unable to verify the first certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN
>mcq.sbanetweb.com
>
>verify return:1
>
>---
>
>Certificate chain
>
>0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN
>mcq.sbanetweb.com
>
>   i:C = US, O = "Entrust, Inc.", OU = See
www.entrust.net/legal-terms
><http://www.entrust.net/legal-terms> , OU = "(c) 2012 Entrust,
Inc. - for
>authorized use only", CN = Entrust Certification Authority - L1K
>
> 
>
> 
>
>[root at mcq wbs]# dovecot -n
>
># 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
>
># OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)
>
># Hostname: mcq.sbanetweb.com
>
>auth_mechanisms = plain login
>
>disable_plaintext_auth = no
>
>mbox_write_locks = fcntl
>
>namespace inbox {
>
>  inbox = yes
>
>  location >
>  mailbox Drafts {
>
>    special_use = \Drafts
>
>  }
>
>  mailbox Junk {
>
>    special_use = \Junk
>
>  }
>
>  mailbox Sent {
>
>    special_use = \Sent
>
>  }
>
>  mailbox "Sent Messages" {
>
>    special_use = \Sent
>
>  }
>
>  mailbox Trash {
>
>    special_use = \Trash
>
>  }
>
>  prefix >
>}
>
>passdb {
>
>  driver = pam
>
>}
>
>protocols = imap
>
>service auth {
>
>  unix_listener /var/spool/postfix/private/auth {
>
>    group = postfix
>
>    mode = 0666
>
>    user = postfix
>
>  }
>
>  unix_listener auth-userdb {
>
>    group = postfix
>
>    mode = 0666
>
>    user = postfix
>
>  }
>
>}
>
>service imap-login {
>
>  inet_listener imap {
>
>    port = 143
>
>  }
>
>  inet_listener imaps {
>
>    port = 993
>
>    ssl = yes
>
>  }
>
>}
>
>service submission-login {
>
>  inet_listener submission {
>
>    port = 587
>
>  }
>
>}
>
>ssl = required
>
>ssl_cert = </etc/postfix/tls/ServerCertificate.pem
>
>ssl_cipher_list
>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-G
>CM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AE
>S128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA25
>6:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-
>ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES1
>28-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE
>-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES12
>8-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNUL
>L:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-D
>ES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>
>ssl_client_ca_dir = /etc/postfix/tls/
>
>ssl_client_ca_file = ChainBundle.pem
>
>ssl_dh = # hidden, use -P to show it
>
>ssl_key = # hidden, use -P to show it
>
>ssl_prefer_server_ciphers = yes
>
>userdb {
>
>  driver = passwd
>
>}
>
>protocol imap {
>
>  mail_max_userip_connections = 15
>
>}
>
> 
>
>Any ideas?
>
> 
>
>Wayne Spivak
>
>SBANETWEB.com
>
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20220208/4b373302/attachment.htm>

Wayne Spivak

2022-Feb-09 01:13 UTC

head link

Certificate and showing a sign-cert not there

Justina,

 

The vendor I have, which is having the difficulty is still saying he gets a
self-signed cert? but as I showed in my last email after I added Intermediate to
the certificate, everything was ok.

 

So ServerCert, Intermediate, Root in same file should solve this?

 

Wayne

From: dovecot <dovecot-bounces at dovecot.org> On Behalf Of justina
colmena ~biz
Sent: Tuesday, February 8, 2022 2:44 PM
To: dovecot at dovecot.org
Subject: Re: Certificate and showing a sign-cert not there

 

In general:

Lots of mail servers out in the wild do not require TLS or even bother to
verifying TLS certificates when connecting to a remote server on port 25.

However, desktop and mobile email *clients* tend to be much stricter about
verifying server certificates when connecting via SSL or TLS, mainly to protect
user passwords.

Sometimes the server certificate needs to be presented with a "full
chain" appended to it for verification. That has been an issue before when
I've used some certs, particularly StartSSL before Letsencrypt started
offering free certs.

On February 8, 2022 5:53:34 AM AKST, Wayne Spivak <WSpivak at SBANetWeb.com
<mailto:WSpivak at SBANetWeb.com> > wrote:

Hi ?

 

I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).

 

I have a multi-signed cert from Entrust.

 

The cert works fine on port 25.

 

However, on Port 587 I get an error: c

 

[root at mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername
mcq.sbanetweb.com

CONNECTED(00000003)

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com

verify return:1

---

Certificate chain

0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com

   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms
<http://www.entrust.net/legal-terms> , OU = "(c) 2012 Entrust, Inc. -
for authorized use only", CN = Entrust Certification Authority - L1K

 

 

[root at mcq wbs]# dovecot -n

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf

# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)

# Hostname: mcq.sbanetweb.com

auth_mechanisms = plain login

disable_plaintext_auth = no

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location 
  mailbox Drafts {

    special_use = \Drafts

  }

  mailbox Junk {

    special_use = \Junk

  }

  mailbox Sent {

    special_use = \Sent

  }

  mailbox "Sent Messages" {

    special_use = \Sent

  }

  mailbox Trash {

    special_use = \Trash

  }

  prefix 
}

passdb {

  driver = pam

}

protocols = imap

service auth {

  unix_listener /var/spool/postfix/private/auth {

    group = postfix

    mode = 0666

    user = postfix

  }

  unix_listener auth-userdb {

    group = postfix

    mode = 0666

    user = postfix

  }

}

service imap-login {

  inet_listener imap {

    port = 143

  }

  inet_listener imaps {

    port = 993

    ssl = yes

  }

}

service submission-login {

  inet_listener submission {

    port = 587

  }

}

ssl = required

ssl_cert = </etc/postfix/tls/ServerCertificate.pem

ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_client_ca_dir = /etc/postfix/tls/

ssl_client_ca_file = ChainBundle.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

ssl_prefer_server_ciphers = yes

userdb {

  driver = passwd

}

protocol imap {

  mail_max_userip_connections = 15

}

 

Any ideas?

 

Wayne Spivak

SBANETWEB.com

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20220208/761fdc80/attachment-0001.htm>

dovecot - Feb 2022 - Certificate and showing a sign-cert not there

Certificate and showing a sign-cert not there

Certificate and showing a sign-cert not there