Hi –
I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).
I have a multi-signed cert from Entrust.
The cert works fine on port 25.
However, on Port 587 I get an error: c
[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername mcq.sbanetweb.com
CONNECTED(00000003)
depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com
verify return:1
---
Certificate chain
0 s:C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com
i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
[root@mcq wbs]# dovecot -n
# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)
# Hostname: mcq.sbanetweb.com
auth_mechanisms = plain login
disable_plaintext_auth = no
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
protocols = imap
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
group = postfix
mode = 0666
user = postfix
}
}
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service submission-login {
inet_listener submission {
port = 587
}
}
ssl = required
ssl_cert = </etc/postfix/tls/ServerCertificate.pem
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_client_ca_dir = /etc/postfix/tls/
ssl_client_ca_file = ChainBundle.pem
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
driver = passwd
}
protocol imap {
mail_max_userip_connections = 15
}
Any ideas?
Wayne Spivak
SBANETWEB.com