Justina, The vendor I have, which is having the difficulty is still saying he gets a self-signed cert? but as I showed in my last email after I added Intermediate to the certificate, everything was ok. So ServerCert, Intermediate, Root in same file should solve this? Wayne From: dovecot <dovecot-bounces at dovecot.org> On Behalf Of justina colmena ~biz Sent: Tuesday, February 8, 2022 2:44 PM To: dovecot at dovecot.org Subject: Re: Certificate and showing a sign-cert not there In general: Lots of mail servers out in the wild do not require TLS or even bother to verifying TLS certificates when connecting to a remote server on port 25. However, desktop and mobile email *clients* tend to be much stricter about verifying server certificates when connecting via SSL or TLS, mainly to protect user passwords. Sometimes the server certificate needs to be presented with a "full chain" appended to it for verification. That has been an issue before when I've used some certs, particularly StartSSL before Letsencrypt started offering free certs. On February 8, 2022 5:53:34 AM AKST, Wayne Spivak <WSpivak at SBANetWeb.com <mailto:WSpivak at SBANetWeb.com> > wrote: Hi ? I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418). I have a multi-signed cert from Entrust. The cert works fine on port 25. However, on Port 587 I get an error: c [root at mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername mcq.sbanetweb.com CONNECTED(00000003) depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com verify return:1 --- Certificate chain 0 s:C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms <http://www.entrust.net/legal-terms> , OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K [root at mcq wbs]# dovecot -n # 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf # OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five) # Hostname: mcq.sbanetweb.com auth_mechanisms = plain login disable_plaintext_auth = no mbox_write_locks = fcntl namespace inbox { inbox = yes location mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix } passdb { driver = pam } protocols = imap service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { group = postfix mode = 0666 user = postfix } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service submission-login { inet_listener submission { port = 587 } } ssl = required ssl_cert = </etc/postfix/tls/ServerCertificate.pem ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_client_ca_dir = /etc/postfix/tls/ ssl_client_ca_file = ChainBundle.pem ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { driver = passwd } protocol imap { mail_max_userip_connections = 15 } Any ideas? Wayne Spivak SBANETWEB.com -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220208/761fdc80/attachment-0001.htm>
You shouldn't need a root in the full chain, because the client already has to have the root cert, but you do need all the links in the chain up to the root. On February 8, 2022 4:13:06 PM AKST, Wayne Spivak <WSpivak at SBANetWeb.com> wrote:>Justina, > > > >The vendor I have, which is having the difficulty is still saying he gets a self-signed cert? but as I showed in my last email after I added Intermediate to the certificate, everything was ok. > > > >So ServerCert, Intermediate, Root in same file should solve this? > > > >Wayne > >From: dovecot <dovecot-bounces at dovecot.org> On Behalf Of justina colmena ~biz >Sent: Tuesday, February 8, 2022 2:44 PM >To: dovecot at dovecot.org >Subject: Re: Certificate and showing a sign-cert not there > > > >In general: > >Lots of mail servers out in the wild do not require TLS or even bother to verifying TLS certificates when connecting to a remote server on port 25. > >However, desktop and mobile email *clients* tend to be much stricter about verifying server certificates when connecting via SSL or TLS, mainly to protect user passwords. > >Sometimes the server certificate needs to be presented with a "full chain" appended to it for verification. That has been an issue before when I've used some certs, particularly StartSSL before Letsencrypt started offering free certs. > >On February 8, 2022 5:53:34 AM AKST, Wayne Spivak <WSpivak at SBANetWeb.com <mailto:WSpivak at SBANetWeb.com> > wrote: > >Hi ? > > > >I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418). > > > >I have a multi-signed cert from Entrust. > > > >The cert works fine on port 25. > > > >However, on Port 587 I get an error: c > > > >[root at mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername mcq.sbanetweb.com > >CONNECTED(00000003) > >depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com > >verify error:num=20:unable to get local issuer certificate > >verify return:1 > >depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com > >verify error:num=21:unable to verify the first certificate > >verify return:1 > >depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com > >verify return:1 > >--- > >Certificate chain > >0 s:C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com > > i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms <http://www.entrust.net/legal-terms> , OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K > > > > > >[root at mcq wbs]# dovecot -n > ># 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf > ># OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five) > ># Hostname: mcq.sbanetweb.com > >auth_mechanisms = plain login > >disable_plaintext_auth = no > >mbox_write_locks = fcntl > >namespace inbox { > > inbox = yes > > location > > mailbox Drafts { > > special_use = \Drafts > > } > > mailbox Junk { > > special_use = \Junk > > } > > mailbox Sent { > > special_use = \Sent > > } > > mailbox "Sent Messages" { > > special_use = \Sent > > } > > mailbox Trash { > > special_use = \Trash > > } > > prefix > >} > >passdb { > > driver = pam > >} > >protocols = imap > >service auth { > > unix_listener /var/spool/postfix/private/auth { > > group = postfix > > mode = 0666 > > user = postfix > > } > > unix_listener auth-userdb { > > group = postfix > > mode = 0666 > > user = postfix > > } > >} > >service imap-login { > > inet_listener imap { > > port = 143 > > } > > inet_listener imaps { > > port = 993 > > ssl = yes > > } > >} > >service submission-login { > > inet_listener submission { > > port = 587 > > } > >} > >ssl = required > >ssl_cert = </etc/postfix/tls/ServerCertificate.pem > >ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > >ssl_client_ca_dir = /etc/postfix/tls/ > >ssl_client_ca_file = ChainBundle.pem > >ssl_dh = # hidden, use -P to show it > >ssl_key = # hidden, use -P to show it > >ssl_prefer_server_ciphers = yes > >userdb { > > driver = passwd > >} > >protocol imap { > > mail_max_userip_connections = 15 > >} > > > >Any ideas? > > > >Wayne Spivak > >SBANETWEB.com > >-- >Sent from my Android device with K-9 Mail. Please excuse my brevity. >-- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220208/b49c6d54/attachment.htm>
On 09.02.22 02:13, Wayne Spivak wrote:> The vendor I have, which is having the difficulty is still > saying he gets a self-signed cert? but as I showed in my > last email after I added Intermediate to the certificate, > everything was ok."*A* self-signed cert" would match the root cert that your have (had?) in your chain, though it would be unusual that *that* would prompt a client to complain. "*Only* a self-signed cert" would likely be some middleboxes' doing. As justina pointed out, e-mail systems are still not in the habit of doing full verification of certs, so MitM attacks are definitely possible. [Still vividly remembers finding that a certain camping ground's WiFi transparently redirects geusts' SMTP/IMAP to a snooping, SSL-enabled server ...] Kind regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20220209/cbf3eb6e/attachment.bin>