Certificate and showing a sign-cert not there

newer
Outlook 2019 and push notifications

older
Config for filtering (ignoring)...

Wayne Spivak

8 Feb 2022 8 Feb '22

4:53 p.m.

Hi -

I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).

I have a multi-signed cert from Entrust.

The cert works fine on port 25.

However, on Port 587 I get an error: c

[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername mcq.sbanetweb.com

CONNECTED(00000003)

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify return:1

Certificate chain

0 s:C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms http://www.entrust.net/legal-terms , OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K

[root@mcq wbs]# dovecot -n

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf

# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)

# Hostname: mcq.sbanetweb.com

auth_mechanisms = plain login

disable_plaintext_auth = no

mbox_write_locks = fcntl

namespace inbox {

inbox = yes

location =

mailbox Drafts {

special_use = \Drafts

}

mailbox Junk {

special_use = \Junk

}

mailbox Sent {

special_use = \Sent

}

mailbox "Sent Messages" {

special_use = \Sent

}

mailbox Trash {

special_use = \Trash

}

prefix =

}

passdb {

driver = pam

}

protocols = imap

service auth {

unix_listener /var/spool/postfix/private/auth {

group = postfix

mode = 0666

user = postfix

}

unix_listener auth-userdb {

group = postfix

mode = 0666

user = postfix

}

service imap-login {

inet_listener imap {

port = 143

}

inet_listener imaps {

port = 993

ssl = yes

}

service submission-login {

inet_listener submission {

port = 587

}

ssl = required

ssl_cert =

ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-G CM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AE S128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA25 6:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE- ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES1 28-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE -DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES12 8-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNUL L:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-D ES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_client_ca_dir = /etc/postfix/tls/

ssl_client_ca_file = ChainBundle.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

ssl_prefer_server_ciphers = yes

userdb {

driver = passwd

}

protocol imap {

mail_max_userip_connections = 15

}

Any ideas?

Wayne Spivak

SBANETWEB.com

Attachments:

attachment.html (text/html — 8.5 KB)

Show replies by date

Christian Kivalo

8 Feb 8 Feb

6:47 p.m.

On 2022-02-08 15:53, Wayne Spivak wrote:

...

Hi -

I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).

I have a multi-signed cert from Entrust.

The cert works fine on port 25. Certificates on port 25 verify ok for me.

However, on Port 587 I get an error: c Certificates on port 587 verify ok for me.

[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername mcq.sbanetweb.com

Now you check port 993? For me the certificates also don't verify on port 993.

Have you built your certificate file correctly? The intermediate cert seems to be missing.

For port 25, 587 you send a chain of 3 certificates. For port 993 you only send one certificate.

...

CONNECTED(00000003)

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify return:1

Certificate chain

0 s:C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms [1], OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K

[root@mcq wbs]# dovecot -n

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf

# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)

# Hostname: mcq.sbanetweb.com

auth_mechanisms = plain login

disable_plaintext_auth = no

mbox_write_locks = fcntl

namespace inbox {

inbox = yes

location =

mailbox Drafts {
special_use = \Drafts
}

mailbox Junk {
special_use = \Junk
}

mailbox Sent {
special_use = \Sent
}

mailbox "Sent Messages" {
special_use = \Sent
}

mailbox Trash {
special_use = \Trash
}

prefix =

}

passdb {

driver = pam

}

protocols = imap

service auth {

unix_listener /var/spool/postfix/private/auth {
group = postfix

mode = 0666

user = postfix
}

unix_listener auth-userdb {
group = postfix

mode = 0666

user = postfix
}

}

service imap-login {

inet_listener imap {
port = 143
}

inet_listener imaps {
port = 993

ssl = yes
}

}

service submission-login {

inet_listener submission {
port = 587
}

}

ssl = required

ssl_cert =

In what order are the certificates in here?

See https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#id7

...

ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_client_ca_dir = /etc/postfix/tls/

ssl_client_ca_file = ChainBundle.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

ssl_prefer_server_ciphers = yes

userdb {

driver = passwd

}

protocol imap {

mail_max_userip_connections = 15

}

Any ideas?

Wayne Spivak

SBANETWEB.com

Links:

[1] http://www.entrust.net/legal-terms

-- Christian Kivalo

Wayne Spivak

8:56 p.m.

Hi Christian,

Thanks for answering. I think you found my issue.

I now get:

[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername mcq.sbanetweb.com CONNECTED(00000003) depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2 verify return:1 depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K verify return:1 depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com verify return:1

Certificate chain 0 s:C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K 1 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2

I hope this fixes the issue?

THANK YOU!!!!!!!!

Wayne

-----Original Message----- From: dovecot dovecot-bounces@dovecot.org On Behalf Of Christian Kivalo Sent: Tuesday, February 8, 2022 11:48 AM To: dovecot@dovecot.org Subject: Re: Certificate and showing a sign-cert not there

On 2022-02-08 15:53, Wayne Spivak wrote:

...

Hi -

I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).

I have a multi-signed cert from Entrust.

The cert works fine on port 25. Certificates on port 25 verify ok for me.

However, on Port 587 I get an error: c Certificates on port 587 verify ok for me.

[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername mcq.sbanetweb.com

Now you check port 993? For me the certificates also don't verify on port 993.

Have you built your certificate file correctly? The intermediate cert seems to be missing.

For port 25, 587 you send a chain of 3 certificates. For port 993 you only send one certificate.

...

CONNECTED(00000003)

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify return:1

Certificate chain

0 s:C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms [1], OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K

[root@mcq wbs]# dovecot -n

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf

# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)

# Hostname: mcq.sbanetweb.com

auth_mechanisms = plain login

disable_plaintext_auth = no

mbox_write_locks = fcntl

namespace inbox {

inbox = yes

location =

mailbox Drafts {
special_use = \Drafts
}

mailbox Junk {
special_use = \Junk
}

mailbox Sent {
special_use = \Sent
}

mailbox "Sent Messages" {
special_use = \Sent
}

mailbox Trash {
special_use = \Trash
}

prefix =

}

passdb {

driver = pam

}

protocols = imap

service auth {

unix_listener /var/spool/postfix/private/auth {
group = postfix

mode = 0666

user = postfix
}

unix_listener auth-userdb {
group = postfix

mode = 0666

user = postfix
}

}

service imap-login {

inet_listener imap {
port = 143
}

inet_listener imaps {
port = 993

ssl = yes
}

}

service submission-login {

inet_listener submission {
port = 587
}

}

ssl = required

ssl_cert =

In what order are the certificates in here?

See https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#id7

...

ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AE S256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA25 6:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE- ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE- RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE -ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES 128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA :AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES12 8-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES: !RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB 5-DES-CBC3-SHA

ssl_client_ca_dir = /etc/postfix/tls/

ssl_client_ca_file = ChainBundle.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

ssl_prefer_server_ciphers = yes

userdb {

driver = passwd

}

protocol imap {

mail_max_userip_connections = 15

}

Any ideas?

Wayne Spivak

SBANETWEB.com

Links:

[1] http://www.entrust.net/legal-terms

-- Christian Kivalo

justina colmena ~biz

9:44 p.m.

In general:

Lots of mail servers out in the wild do not require TLS or even bother to verifying TLS certificates when connecting to a remote server on port 25.

However, desktop and mobile email *clients* tend to be much stricter about verifying server certificates when connecting via SSL or TLS, mainly to protect user passwords.

Sometimes the server certificate needs to be presented with a "full chain" appended to it for verification. That has been an issue before when I've used some certs, particularly StartSSL before Letsencrypt started offering free certs.

On February 8, 2022 5:53:34 AM AKST, Wayne Spivak WSpivak@SBANetWeb.com wrote:

...

Hi -

I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).

I have a multi-signed cert from Entrust.

The cert works fine on port 25.

However, on Port 587 I get an error: c

[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername mcq.sbanetweb.com

CONNECTED(00000003)

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify return:1

Certificate chain

0 s:C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms http://www.entrust.net/legal-terms , OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K

[root@mcq wbs]# dovecot -n

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf

# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)

# Hostname: mcq.sbanetweb.com

auth_mechanisms = plain login

disable_plaintext_auth = no

mbox_write_locks = fcntl

namespace inbox {

inbox = yes

location =

mailbox Drafts {

special_use = \Drafts

}

mailbox Junk {

special_use = \Junk

}

mailbox Sent {

special_use = \Sent

}

mailbox "Sent Messages" {

special_use = \Sent

}

mailbox Trash {

special_use = \Trash

}

prefix =

}

passdb {

driver = pam

}

protocols = imap

service auth {

unix_listener /var/spool/postfix/private/auth {

group = postfix

mode = 0666

user = postfix

}

unix_listener auth-userdb {

group = postfix

mode = 0666

user = postfix

}

}

service imap-login {

inet_listener imap {

port = 143

}

inet_listener imaps {

port = 993

ssl = yes

}

}

service submission-login {

inet_listener submission {

port = 587

}

}

ssl = required

ssl_cert =
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-G CM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AE S128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA25 6:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE- ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES1 28-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE -DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES12 8-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNUL L:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-D ES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_client_ca_dir = /etc/postfix/tls/

ssl_client_ca_file = ChainBundle.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

ssl_prefer_server_ciphers = yes

userdb {

driver = passwd

}

protocol imap {

mail_max_userip_connections = 15

}

Any ideas?

Wayne Spivak

SBANETWEB.com

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

Wayne Spivak

9 Feb 9 Feb

3:13 a.m.

Justina,

The vendor I have, which is having the difficulty is still saying he gets a self-signed cert… but as I showed in my last email after I added Intermediate to the certificate, everything was ok.

So ServerCert, Intermediate, Root in same file should solve this?

Wayne

From: dovecot dovecot-bounces@dovecot.org On Behalf Of justina colmena ~biz Sent: Tuesday, February 8, 2022 2:44 PM To: dovecot@dovecot.org Subject: Re: Certificate and showing a sign-cert not there

In general:

Lots of mail servers out in the wild do not require TLS or even bother to verifying TLS certificates when connecting to a remote server on port 25.

However, desktop and mobile email *clients* tend to be much stricter about verifying server certificates when connecting via SSL or TLS, mainly to protect user passwords.

On February 8, 2022 5:53:34 AM AKST, Wayne Spivak mailto:WSpivak@SBANetWeb.com > wrote:

Hi –

I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).

I have a multi-signed cert from Entrust.

The cert works fine on port 25.

However, on Port 587 I get an error: c

[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername mcq.sbanetweb.com

CONNECTED(00000003)

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify return:1

Certificate chain

0 s:C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

[root@mcq wbs]# dovecot -n

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf

# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)

# Hostname: mcq.sbanetweb.com

auth_mechanisms = plain login

disable_plaintext_auth = no

mbox_write_locks = fcntl

namespace inbox {

inbox = yes

location =

mailbox Drafts {

special_use = \Drafts

}

mailbox Junk {

special_use = \Junk

}

mailbox Sent {

special_use = \Sent

}

mailbox "Sent Messages" {

special_use = \Sent

}

mailbox Trash {

special_use = \Trash

}

prefix =

}

passdb {

driver = pam

}

protocols = imap

service auth {

unix_listener /var/spool/postfix/private/auth {

group = postfix

mode = 0666

user = postfix

}

unix_listener auth-userdb {

group = postfix

mode = 0666

user = postfix

}

service imap-login {

inet_listener imap {

port = 143

}

inet_listener imaps {

port = 993

ssl = yes

}

service submission-login {

inet_listener submission {

port = 587

}

ssl = required

ssl_cert =

ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_client_ca_dir = /etc/postfix/tls/

ssl_client_ca_file = ChainBundle.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

ssl_prefer_server_ciphers = yes

userdb {

driver = passwd

}

protocol imap {

mail_max_userip_connections = 15

}

Any ideas?

Wayne Spivak

SBANETWEB.com

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

justina colmena ~biz

3:56 a.m.

You shouldn't need a root in the full chain, because the client already has to have the root cert, but you do need all the links in the chain up to the root.

On February 8, 2022 4:13:06 PM AKST, Wayne Spivak WSpivak@SBANetWeb.com wrote:

...

Justina,

The vendor I have, which is having the difficulty is still saying he gets a self-signed cert… but as I showed in my last email after I added Intermediate to the certificate, everything was ok.

So ServerCert, Intermediate, Root in same file should solve this?

Wayne

From: dovecot dovecot-bounces@dovecot.org On Behalf Of justina colmena ~biz Sent: Tuesday, February 8, 2022 2:44 PM To: dovecot@dovecot.org Subject: Re: Certificate and showing a sign-cert not there

In general:

Lots of mail servers out in the wild do not require TLS or even bother to verifying TLS certificates when connecting to a remote server on port 25.

However, desktop and mobile email *clients* tend to be much stricter about verifying server certificates when connecting via SSL or TLS, mainly to protect user passwords.

Sometimes the server certificate needs to be presented with a "full chain" appended to it for verification. That has been an issue before when I've used some certs, particularly StartSSL before Letsencrypt started offering free certs.

On February 8, 2022 5:53:34 AM AKST, Wayne Spivak mailto:WSpivak@SBANetWeb.com > wrote:

Hi –

I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).

I have a multi-signed cert from Entrust.

The cert works fine on port 25.

However, on Port 587 I get an error: c

[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername mcq.sbanetweb.com

CONNECTED(00000003)

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify return:1

Certificate chain

0 s:C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms http://www.entrust.net/legal-terms , OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K

[root@mcq wbs]# dovecot -n

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf

# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)

# Hostname: mcq.sbanetweb.com

auth_mechanisms = plain login

disable_plaintext_auth = no

mbox_write_locks = fcntl

namespace inbox {

inbox = yes

location =

mailbox Drafts {

special_use = \Drafts

}

mailbox Junk {

special_use = \Junk

}

mailbox Sent {

special_use = \Sent

}

mailbox "Sent Messages" {

special_use = \Sent

}

mailbox Trash {

special_use = \Trash

}

prefix =

}

passdb {

driver = pam

}

protocols = imap

service auth {

unix_listener /var/spool/postfix/private/auth {

group = postfix

mode = 0666

user = postfix

}

unix_listener auth-userdb {

group = postfix

mode = 0666

user = postfix

}

}

service imap-login {

inet_listener imap {

port = 143

}

inet_listener imaps {

port = 993

ssl = yes

}

}

service submission-login {

inet_listener submission {

port = 587

}

}

ssl = required

ssl_cert =
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_client_ca_dir = /etc/postfix/tls/

ssl_client_ca_file = ChainBundle.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

ssl_prefer_server_ciphers = yes

userdb {

driver = passwd

}

protocol imap {

mail_max_userip_connections = 15

}

Any ideas?

Wayne Spivak

SBANETWEB.com

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

Plutocrat

4:25 a.m.

Wayne Spivak

1:42 p.m.

That I have, thank you Justina

From: dovecot dovecot-bounces@dovecot.org On Behalf Of justina colmena ~biz Sent: Tuesday, February 8, 2022 8:57 PM To: dovecot@dovecot.org Subject: RE: Certificate and showing a sign-cert not there

You shouldn't need a root in the full chain, because the client already has to have the root cert, but you do need all the links in the chain up to the root.

On February 8, 2022 4:13:06 PM AKST, Wayne Spivak mailto:WSpivak@SBANetWeb.com > wrote:

Justina,

The vendor I have, which is having the difficulty is still saying he gets a self-signed cert… but as I showed in my last email after I added Intermediate to the certificate, everything was ok.

So ServerCert, Intermediate, Root in same file should solve this?

Wayne

From: dovecot mailto:dovecot-bounces@dovecot.org > On Behalf Of justina colmena ~biz Sent: Tuesday, February 8, 2022 2:44 PM To: dovecot@dovecot.org mailto:dovecot@dovecot.org Subject: Re: Certificate and showing a sign-cert not there

In general:

Lots of mail servers out in the wild do not require TLS or even bother to verifying TLS certificates when connecting to a remote server on port 25.

However, desktop and mobile email *clients* tend to be much stricter about verifying server certificates when connecting via SSL or TLS, mainly to protect user passwords.

On February 8, 2022 5:53:34 AM AKST, Wayne Spivak mailto:WSpivak@SBANetWeb.com > wrote:

Hi –

I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).

I have a multi-signed cert from Entrust.

The cert works fine on port 25.

However, on Port 587 I get an error: c

[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername mcq.sbanetweb.com

CONNECTED(00000003)

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

verify return:1

Certificate chain

0 s:C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = mcq.sbanetweb.com

[root@mcq wbs]# dovecot -n

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf

# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)

# Hostname: mcq.sbanetweb.com

auth_mechanisms = plain login

disable_plaintext_auth = no

mbox_write_locks = fcntl

namespace inbox {

inbox = yes

location =

mailbox Drafts {

special_use = \Drafts

}

mailbox Junk {

special_use = \Junk

}

mailbox Sent {

special_use = \Sent

}

mailbox "Sent Messages" {

special_use = \Sent

}

mailbox Trash {

special_use = \Trash

}

prefix =

}

passdb {

driver = pam

}

protocols = imap

service auth {

unix_listener /var/spool/postfix/private/auth {

group = postfix

mode = 0666

user = postfix

}

unix_listener auth-userdb {

group = postfix

mode = 0666

user = postfix

}

service imap-login {

inet_listener imap {

port = 143

}

inet_listener imaps {

port = 993

ssl = yes

}

service submission-login {

inet_listener submission {

port = 587

}

ssl = required

ssl_cert =

ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_client_ca_dir = /etc/postfix/tls/

ssl_client_ca_file = ChainBundle.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

ssl_prefer_server_ciphers = yes

userdb {

driver = passwd

}

protocol imap {

mail_max_userip_connections = 15

}

Any ideas?

Wayne Spivak

SBANETWEB.com

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

Wayne Spivak

10 Feb 10 Feb

12:11 a.m.

To all, we finally succeeded in solving the problem.

I believe changing the Servercert to Servercert + Intermediate solved the issue.

Thank you all for your help.

Jochen Bern

9 Feb 9 Feb

10:14 a.m.

On 09.02.22 02:13, Wayne Spivak wrote:

...

The vendor I have, which is having the difficulty is still saying he gets a self-signed cert… but as I showed in my last email after I added Intermediate to the certificate, everything was ok.

"*A* self-signed cert" would match the root cert that your have (had?) in your chain, though it would be unusual that *that* would prompt a client to complain.

"*Only* a self-signed cert" would likely be some middleboxes' doing. As justina pointed out, e-mail systems are still not in the habit of doing full verification of certs, so MitM attacks are definitely possible.

[Still vividly remembers finding that a certain camping ground's WiFi transparently redirects geusts' SMTP/IMAP to a snooping, SSL-enabled server ...]

Kind regards,

Jochen Bern Systemingenieur

Binect GmbH

1010

Age (days ago)

1011

Last active (days ago)

List overview

9 comments

5 participants

participants (5)

Christian Kivalo
Jochen Bern
justina colmena ~biz
Plutocrat
Wayne Spivak