Random addition to this thread, in case it helps ... recently had a client reporting certificate problems after Letsencrypt changed their root certificate late last year. Long story short: it boiled down to the fact he was using an ancient version of Outlook which didn't have the necessary root certificates to verify the new Letsencrypt cross-signed root cert. More recent versions of Outlook were fine. So maybe that's another line of inquiry?

P.

On 09/02/2022 09.56, justina colmena ~biz wrote:
You shouldn't need a root in the full chain, because the client already has to have the root cert, but you do need all the links in the chain up to the root.

On February 8, 2022 4:13:06 PM AKST, Wayne Spivak <WSpivak@SBANetWeb.com> wrote:

Justina,

 

The vendor I have, which is having the difficulty is still saying he gets a self-signed cert… but as I showed in my last email after I added Intermediate to the certificate, everything was ok.

 

So ServerCert, Intermediate, Root in same file should solve this?

 

Wayne

From: dovecot <dovecot-bounces@dovecot.org> On Behalf Of justina colmena ~biz
Sent: Tuesday, February 8, 2022 2:44 PM
To: dovecot@dovecot.org
Subject: Re: Certificate and showing a sign-cert not there

 

In general:

Lots of mail servers out in the wild do not require TLS or even bother to verifying TLS certificates when connecting to a remote server on port 25.

However, desktop and mobile email *clients* tend to be much stricter about verifying server certificates when connecting via SSL or TLS, mainly to protect user passwords.

Sometimes the server certificate needs to be presented with a "full chain" appended to it for verification. That has been an issue before when I've used some certs, particularly StartSSL before Letsencrypt started offering free certs.

On February 8, 2022 5:53:34 AM AKST, Wayne Spivak <WSpivak@SBANetWeb.com> wrote:

Hi –

 

I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).

 

I have a multi-signed cert from Entrust.

 

The cert works fine on port 25.

 

However, on Port 587 I get an error: c

 

[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername mcq.sbanetweb.com

CONNECTED(00000003)

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = mcq.sbanetweb.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = mcq.sbanetweb.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = mcq.sbanetweb.com

verify return:1

---

Certificate chain

0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = mcq.sbanetweb.com

   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K

 

 

[root@mcq wbs]# dovecot -n

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf

# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)

# Hostname: mcq.sbanetweb.com

auth_mechanisms = plain login

disable_plaintext_auth = no

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location =

  mailbox Drafts {

    special_use = \Drafts

  }

  mailbox Junk {

    special_use = \Junk

  }

  mailbox Sent {

    special_use = \Sent

  }

  mailbox "Sent Messages" {

    special_use = \Sent

  }

  mailbox Trash {

    special_use = \Trash

  }

  prefix =

}

passdb {

  driver = pam

}

protocols = imap

service auth {

  unix_listener /var/spool/postfix/private/auth {

    group = postfix

    mode = 0666

    user = postfix

  }

  unix_listener auth-userdb {

    group = postfix

    mode = 0666

    user = postfix

  }

}

service imap-login {

  inet_listener imap {

    port = 143

  }

  inet_listener imaps {

    port = 993

    ssl = yes

  }

}

service submission-login {

  inet_listener submission {

    port = 587

  }

}

ssl = required

ssl_cert = </etc/postfix/tls/ServerCertificate.pem

ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_client_ca_dir = /etc/postfix/tls/

ssl_client_ca_file = ChainBundle.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

ssl_prefer_server_ciphers = yes

userdb {

  driver = passwd

}

protocol imap {

  mail_max_userip_connections = 15

}

 

Any ideas?

 

Wayne Spivak

SBANETWEB.com

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.