dovecot - Feb 2022 - Certificate and showing a sign-cert not there

You shouldn't need a root in the full chain, because the client already has
to have the root cert, but you do need all the links in the chain up to the
root.

On February 8, 2022 4:13:06 PM AKST, Wayne Spivak <WSpivak at
SBANetWeb.com> wrote:
>Justina,
>
> 
>
>The vendor I have, which is having the difficulty is still saying he gets a
self-signed cert? but as I showed in my last email after I added Intermediate to
the certificate, everything was ok.
>
> 
>
>So ServerCert, Intermediate, Root in same file should solve this?
>
> 
>
>Wayne
>
>From: dovecot <dovecot-bounces at dovecot.org> On Behalf Of justina
colmena ~biz
>Sent: Tuesday, February 8, 2022 2:44 PM
>To: dovecot at dovecot.org
>Subject: Re: Certificate and showing a sign-cert not there
>
> 
>
>In general:
>
>Lots of mail servers out in the wild do not require TLS or even bother to
verifying TLS certificates when connecting to a remote server on port 25.
>
>However, desktop and mobile email *clients* tend to be much stricter about
verifying server certificates when connecting via SSL or TLS, mainly to protect
user passwords.
>
>Sometimes the server certificate needs to be presented with a "full
chain" appended to it for verification. That has been an issue before when
I've used some certs, particularly StartSSL before Letsencrypt started
offering free certs.
>
>On February 8, 2022 5:53:34 AM AKST, Wayne Spivak <WSpivak at
SBANetWeb.com <mailto:WSpivak at SBANetWeb.com> > wrote:
>
>Hi ?
>
> 
>
>I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).
>
> 
>
>I have a multi-signed cert from Entrust.
>
> 
>
>The cert works fine on port 25.
>
> 
>
>However, on Port 587 I get an error: c
>
> 
>
>[root at mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993
-servername mcq.sbanetweb.com
>
>CONNECTED(00000003)
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com
>
>verify error:num=20:unable to get local issuer certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com
>
>verify error:num=21:unable to verify the first certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com
>
>verify return:1
>
>---
>
>Certificate chain
>
>0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com
>
>   i:C = US, O = "Entrust, Inc.", OU = See
www.entrust.net/legal-terms <http://www.entrust.net/legal-terms> , OU =
"(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust
Certification Authority - L1K
>
> 
>
> 
>
>[root at mcq wbs]# dovecot -n
>
># 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
>
># OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)
>
># Hostname: mcq.sbanetweb.com
>
>auth_mechanisms = plain login
>
>disable_plaintext_auth = no
>
>mbox_write_locks = fcntl
>
>namespace inbox {
>
>  inbox = yes
>
>  location >
>  mailbox Drafts {
>
>    special_use = \Drafts
>
>  }
>
>  mailbox Junk {
>
>    special_use = \Junk
>
>  }
>
>  mailbox Sent {
>
>    special_use = \Sent
>
>  }
>
>  mailbox "Sent Messages" {
>
>    special_use = \Sent
>
>  }
>
>  mailbox Trash {
>
>    special_use = \Trash
>
>  }
>
>  prefix >
>}
>
>passdb {
>
>  driver = pam
>
>}
>
>protocols = imap
>
>service auth {
>
>  unix_listener /var/spool/postfix/private/auth {
>
>    group = postfix
>
>    mode = 0666
>
>    user = postfix
>
>  }
>
>  unix_listener auth-userdb {
>
>    group = postfix
>
>    mode = 0666
>
>    user = postfix
>
>  }
>
>}
>
>service imap-login {
>
>  inet_listener imap {
>
>    port = 143
>
>  }
>
>  inet_listener imaps {
>
>    port = 993
>
>    ssl = yes
>
>  }
>
>}
>
>service submission-login {
>
>  inet_listener submission {
>
>    port = 587
>
>  }
>
>}
>
>ssl = required
>
>ssl_cert = </etc/postfix/tls/ServerCertificate.pem
>
>ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>
>ssl_client_ca_dir = /etc/postfix/tls/
>
>ssl_client_ca_file = ChainBundle.pem
>
>ssl_dh = # hidden, use -P to show it
>
>ssl_key = # hidden, use -P to show it
>
>ssl_prefer_server_ciphers = yes
>
>userdb {
>
>  driver = passwd
>
>}
>
>protocol imap {
>
>  mail_max_userip_connections = 15
>
>}
>
> 
>
>Any ideas?
>
> 
>
>Wayne Spivak
>
>SBANETWEB.com
>
>-- 
>Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20220208/b49c6d54/attachment.htm>

An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20220209/37556b49/attachment-0001.htm>

That I have, thank you Justina

 

From: dovecot <dovecot-bounces at dovecot.org> On Behalf Of justina
colmena ~biz
Sent: Tuesday, February 8, 2022 8:57 PM
To: dovecot at dovecot.org
Subject: RE: Certificate and showing a sign-cert not there

 

You shouldn't need a root in the full chain, because the client already has
to have the root cert, but you do need all the links in the chain up to the
root.

On February 8, 2022 4:13:06 PM AKST, Wayne Spivak <WSpivak at SBANetWeb.com
<mailto:WSpivak at SBANetWeb.com> > wrote:

Justina,

 

The vendor I have, which is having the difficulty is still saying he gets a
self-signed cert? but as I showed in my last email after I added Intermediate to
the certificate, everything was ok.

 

So ServerCert, Intermediate, Root in same file should solve this?

 

Wayne

From: dovecot <dovecot-bounces at dovecot.org <mailto:dovecot-bounces at
dovecot.org> > On Behalf Of justina colmena ~biz
Sent: Tuesday, February 8, 2022 2:44 PM
To: dovecot at dovecot.org <mailto:dovecot at dovecot.org> 
Subject: Re: Certificate and showing a sign-cert not there

 

In general:

Lots of mail servers out in the wild do not require TLS or even bother to
verifying TLS certificates when connecting to a remote server on port 25.

However, desktop and mobile email *clients* tend to be much stricter about
verifying server certificates when connecting via SSL or TLS, mainly to protect
user passwords.

Sometimes the server certificate needs to be presented with a "full
chain" appended to it for verification. That has been an issue before when
I've used some certs, particularly StartSSL before Letsencrypt started
offering free certs.

On February 8, 2022 5:53:34 AM AKST, Wayne Spivak <WSpivak at SBANetWeb.com
<mailto:WSpivak at SBANetWeb.com> > wrote:

Hi ?

 

I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).

 

I have a multi-signed cert from Entrust.

 

The cert works fine on port 25.

 

However, on Port 587 I get an error: c

 

[root at mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername
mcq.sbanetweb.com

CONNECTED(00000003)

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com

verify return:1

---

Certificate chain

0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com

   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms
<http://www.entrust.net/legal-terms> , OU = "(c) 2012 Entrust, Inc. -
for authorized use only", CN = Entrust Certification Authority - L1K

 

 

[root at mcq wbs]# dovecot -n

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf

# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)

# Hostname: mcq.sbanetweb.com

auth_mechanisms = plain login

disable_plaintext_auth = no

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location 
  mailbox Drafts {

    special_use = \Drafts

  }

  mailbox Junk {

    special_use = \Junk

  }

  mailbox Sent {

    special_use = \Sent

  }

  mailbox "Sent Messages" {

    special_use = \Sent

  }

  mailbox Trash {

    special_use = \Trash

  }

  prefix 
}

passdb {

  driver = pam

}

protocols = imap

service auth {

  unix_listener /var/spool/postfix/private/auth {

    group = postfix

    mode = 0666

    user = postfix

  }

  unix_listener auth-userdb {

    group = postfix

    mode = 0666

    user = postfix

  }

}

service imap-login {

  inet_listener imap {

    port = 143

  }

  inet_listener imaps {

    port = 993

    ssl = yes

  }

}

service submission-login {

  inet_listener submission {

    port = 587

  }

}

ssl = required

ssl_cert = </etc/postfix/tls/ServerCertificate.pem

ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_client_ca_dir = /etc/postfix/tls/

ssl_client_ca_file = ChainBundle.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

ssl_prefer_server_ciphers = yes

userdb {

  driver = passwd

}

protocol imap {

  mail_max_userip_connections = 15

}

 

Any ideas?

 

Wayne Spivak

SBANETWEB.com

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20220209/7cea75e9/attachment.htm>