[Dovecot] ssl cert for mail server

Florian Zeitz florob at babelmonkeys.de
Wed Sep 19 14:56:26 EEST 2012


Am 19.09.2012 10:00, schrieb cc "maco" young:
> for testing a new ssl cert.  it works ok for browsers, but
> 
>>  openssl s_client -crlf -connect ms1.trailsandtribulations.net:443
> 
> => verify error:num=19:self signed certificate in certificate chain
> 
> is this ssl cert - as it's constructed - is ok for mail clients?  (realize
> needs to be on mail port etc - right now talking about the cert itself.)
>  have had problems with thunderbird, and was wondering if this might be
> part of the problem.
> 

Hi,

first of all this is likely off topic for this ML, I'll still answer
though, since I'm always intrigued by TLS problems.

The reason openssl doesn't accept this cert, while your browser does, is
quite likely that your system wide accepted CAs don't include Starfield
Technologies, while your browser's CAs do (This is the case for Firefox
and Thunderbird).

However, I suspect that your mail addresses are of the form
<user at trailsandtribulations.net>, and ms1.trailsandtribulations.net is
what is in your MX record. As such the certificate needs to be valid for
trailsandtribulations.net, and not ms1.trailsandtribulations.net.
So you either need trailsandtribulations.net as your CN, or a SAN of
type DNSName for trailsandtribulations.net.
Cf. https://tools.ietf.org/html/rfc6125 for best practices on generating
certificates.

Regards,
Florian


More information about the dovecot mailing list