Hi -
I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).
I have a multi-signed cert from Entrust.
The cert works fine on port 25.
However, on Port 587 I get an error: c
[root at mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername
mcq.sbanetweb.com
CONNECTED(00000003)
depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN
mcq.sbanetweb.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN
mcq.sbanetweb.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN
mcq.sbanetweb.com
verify return:1
---
Certificate chain
0 s:C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN
mcq.sbanetweb.com
i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms
<http://www.entrust.net/legal-terms> , OU = "(c) 2012 Entrust, Inc. -
for
authorized use only", CN = Entrust Certification Authority - L1K
[root at mcq wbs]# dovecot -n
# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)
# Hostname: mcq.sbanetweb.com
auth_mechanisms = plain login
disable_plaintext_auth = no
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix
}
passdb {
driver = pam
}
protocols = imap
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
group = postfix
mode = 0666
user = postfix
}
}
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service submission-login {
inet_listener submission {
port = 587
}
}
ssl = required
ssl_cert = </etc/postfix/tls/ServerCertificate.pem
ssl_cipher_list
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-G
CM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AE
S128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA25
6:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-
ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES1
28-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE
-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES12
8-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNUL
L:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-D
ES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_client_ca_dir = /etc/postfix/tls/
ssl_client_ca_file = ChainBundle.pem
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
driver = passwd
}
protocol imap {
mail_max_userip_connections = 15
}
Any ideas?
Wayne Spivak
SBANETWEB.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20220208/8a91c07e/attachment-0001.htm>
On 2022-02-08 15:53, Wayne Spivak wrote:> Hi - > > I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418). > > I have a multi-signed cert from Entrust. > > The cert works fine on port 25.Certificates on port 25 verify ok for me.> > However, on Port 587 I get an error: cCertificates on port 587 verify ok for me.> > [root at mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 > -servername mcq.sbanetweb.comNow you check port 993? For me the certificates also don't verify on port 993. Have you built your certificate file correctly? The intermediate cert seems to be missing. For port 25, 587 you send a chain of 3 certificates. For port 993 you only send one certificate.> > CONNECTED(00000003) > > depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, > CN = mcq.sbanetweb.com > > verify error:num=20:unable to get local issuer certificate > > verify return:1 > > depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, > CN = mcq.sbanetweb.com > > verify error:num=21:unable to verify the first certificate > > verify return:1 > > depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, > CN = mcq.sbanetweb.com > > verify return:1 > > --- > > Certificate chain > > 0 s:C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN > = mcq.sbanetweb.com > > i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms > [1], OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN > Entrust Certification Authority - L1K > > [root at mcq wbs]# dovecot -n > > # 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf > > # OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty > Five) > > # Hostname: mcq.sbanetweb.com > > auth_mechanisms = plain login > > disable_plaintext_auth = no > > mbox_write_locks = fcntl > > namespace inbox { > > inbox = yes > > location > > mailbox Drafts { > > special_use = \Drafts > > } > > mailbox Junk { > > special_use = \Junk > > } > > mailbox Sent { > > special_use = \Sent > > } > > mailbox "Sent Messages" { > > special_use = \Sent > > } > > mailbox Trash { > > special_use = \Trash > > } > > prefix > > } > > passdb { > > driver = pam > > } > > protocols = imap > > service auth { > > unix_listener /var/spool/postfix/private/auth { > > group = postfix > > mode = 0666 > > user = postfix > > } > > unix_listener auth-userdb { > > group = postfix > > mode = 0666 > > user = postfix > > } > > } > > service imap-login { > > inet_listener imap { > > port = 143 > > } > > inet_listener imaps { > > port = 993 > > ssl = yes > > } > > } > > service submission-login { > > inet_listener submission { > > port = 587 > > } > > } > > ssl = required > > ssl_cert = </etc/postfix/tls/ServerCertificate.pemIn what order are the certificates in here? See https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#id7> > ssl_cipher_list > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > ssl_client_ca_dir = /etc/postfix/tls/ > > ssl_client_ca_file = ChainBundle.pem > > ssl_dh = # hidden, use -P to show it > > ssl_key = # hidden, use -P to show it > > ssl_prefer_server_ciphers = yes > > userdb { > > driver = passwd > > } > > protocol imap { > > mail_max_userip_connections = 15 > > } > > Any ideas? > > Wayne Spivak > > SBANETWEB.com > > Links: > ------ > [1] http://www.entrust.net/legal-terms-- Christian Kivalo
In general: Lots of mail servers out in the wild do not require TLS or even bother to verifying TLS certificates when connecting to a remote server on port 25. However, desktop and mobile email *clients* tend to be much stricter about verifying server certificates when connecting via SSL or TLS, mainly to protect user passwords. Sometimes the server certificate needs to be presented with a "full chain" appended to it for verification. That has been an issue before when I've used some certs, particularly StartSSL before Letsencrypt started offering free certs. On February 8, 2022 5:53:34 AM AKST, Wayne Spivak <WSpivak at SBANetWeb.com> wrote:>Hi - > > > >I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418). > > > >I have a multi-signed cert from Entrust. > > > >The cert works fine on port 25. > > > >However, on Port 587 I get an error: c > > > >[root at mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername >mcq.sbanetweb.com > >CONNECTED(00000003) > >depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN >mcq.sbanetweb.com > >verify error:num=20:unable to get local issuer certificate > >verify return:1 > >depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN >mcq.sbanetweb.com > >verify error:num=21:unable to verify the first certificate > >verify return:1 > >depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN >mcq.sbanetweb.com > >verify return:1 > >--- > >Certificate chain > >0 s:C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN >mcq.sbanetweb.com > > i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms ><http://www.entrust.net/legal-terms> , OU = "(c) 2012 Entrust, Inc. - for >authorized use only", CN = Entrust Certification Authority - L1K > > > > > >[root at mcq wbs]# dovecot -n > ># 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf > ># OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five) > ># Hostname: mcq.sbanetweb.com > >auth_mechanisms = plain login > >disable_plaintext_auth = no > >mbox_write_locks = fcntl > >namespace inbox { > > inbox = yes > > location > > mailbox Drafts { > > special_use = \Drafts > > } > > mailbox Junk { > > special_use = \Junk > > } > > mailbox Sent { > > special_use = \Sent > > } > > mailbox "Sent Messages" { > > special_use = \Sent > > } > > mailbox Trash { > > special_use = \Trash > > } > > prefix > >} > >passdb { > > driver = pam > >} > >protocols = imap > >service auth { > > unix_listener /var/spool/postfix/private/auth { > > group = postfix > > mode = 0666 > > user = postfix > > } > > unix_listener auth-userdb { > > group = postfix > > mode = 0666 > > user = postfix > > } > >} > >service imap-login { > > inet_listener imap { > > port = 143 > > } > > inet_listener imaps { > > port = 993 > > ssl = yes > > } > >} > >service submission-login { > > inet_listener submission { > > port = 587 > > } > >} > >ssl = required > >ssl_cert = </etc/postfix/tls/ServerCertificate.pem > >ssl_cipher_list >ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-G >CM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AE >S128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA25 >6:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE- >ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES1 >28-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE >-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES12 >8-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNUL >L:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-D >ES-CBC3-SHA:!KRB5-DES-CBC3-SHA > >ssl_client_ca_dir = /etc/postfix/tls/ > >ssl_client_ca_file = ChainBundle.pem > >ssl_dh = # hidden, use -P to show it > >ssl_key = # hidden, use -P to show it > >ssl_prefer_server_ciphers = yes > >userdb { > > driver = passwd > >} > >protocol imap { > > mail_max_userip_connections = 15 > >} > > > >Any ideas? > > > >Wayne Spivak > >SBANETWEB.com >-- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220208/4b373302/attachment.htm>