Certificate and showing a sign-cert not there

Wayne Spivak WSpivak at SBANetWeb.com
Tue Feb 8 18:56:01 UTC 2022 

Hi Christian,

Thanks for answering.  I think you found my issue.

I now get:

[root at mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername
mcq.sbanetweb.com
CONNECTED(00000003)
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms,
OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root
Certification Authority - G2
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms,
OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust
Certification Authority - L1K
verify return:1
depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU =
"(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust
Certification Authority - L1K
 1 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU =
"(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust
Certification Authority - L1K
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU =
"(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root
Certification Authority - G2
---

I hope this fixes the issue?

THANK YOU!!!!!!!!

Wayne


-----Original Message-----
From: dovecot <dovecot-bounces at dovecot.org> On Behalf Of Christian Kivalo
Sent: Tuesday, February 8, 2022 11:48 AM
To: dovecot at dovecot.org
Subject: Re: Certificate and showing a sign-cert not there



On 2022-02-08 15:53, Wayne Spivak wrote:
> Hi -
> 
> I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).
> 
> I have a multi-signed cert from Entrust.
> 
> The cert works fine on port 25.
Certificates on port 25 verify ok for me.
> 
> However, on Port 587 I get an error: c
Certificates on port 587 verify ok for me.
> 
> [root at mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 
> -servername mcq.sbanetweb.com

Now you check port 993? For me the certificates also don't verify on port
993.

Have you built your certificate file correctly?
The intermediate cert seems to be missing.

For port 25, 587 you send a chain of 3 certificates.
For port 993 you only send one certificate.

> 
> CONNECTED(00000003)
> 
> depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, 
> CN = mcq.sbanetweb.com
> 
> verify error:num=20:unable to get local issuer certificate
> 
> verify return:1
> 
> depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, 
> CN = mcq.sbanetweb.com
> 
> verify error:num=21:unable to verify the first certificate
> 
> verify return:1
> 
> depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, 
> CN = mcq.sbanetweb.com
> 
> verify return:1
> 
> ---
> 
> Certificate chain
> 
>  0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN 
> = mcq.sbanetweb.com
> 
>    i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms 
> [1], OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = 
> Entrust Certification Authority - L1K
> 
> [root at mcq wbs]# dovecot -n
> 
> # 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
> 
> # OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty
> Five)
> 
> # Hostname: mcq.sbanetweb.com
> 
> auth_mechanisms = plain login
> 
> disable_plaintext_auth = no
> 
> mbox_write_locks = fcntl
> 
> namespace inbox {
> 
>   inbox = yes
> 
>   location =
> 
>   mailbox Drafts {
> 
>     special_use = \Drafts
> 
>   }
> 
>   mailbox Junk {
> 
>     special_use = \Junk
> 
>   }
> 
>   mailbox Sent {
> 
>     special_use = \Sent
> 
>   }
> 
>   mailbox "Sent Messages" {
> 
>     special_use = \Sent
> 
>   }
> 
>   mailbox Trash {
> 
>     special_use = \Trash
> 
>   }
> 
>   prefix =
> 
> }
> 
> passdb {
> 
>   driver = pam
> 
> }
> 
> protocols = imap
> 
> service auth {
> 
>   unix_listener /var/spool/postfix/private/auth {
> 
>     group = postfix
> 
>     mode = 0666
> 
>     user = postfix
> 
>   }
> 
>   unix_listener auth-userdb {
> 
>     group = postfix
> 
>     mode = 0666
> 
>     user = postfix
> 
>   }
> 
> }
> 
> service imap-login {
> 
>   inet_listener imap {
> 
>     port = 143
> 
>   }
> 
>   inet_listener imaps {
> 
>     port = 993
> 
>     ssl = yes
> 
>   }
> 
> }
> 
> service submission-login {
> 
>   inet_listener submission {
> 
>     port = 587
> 
>   }
> 
> }
> 
> ssl = required
> 
> ssl_cert = </etc/postfix/tls/ServerCertificate.pem
In what order are the certificates in here?

See
https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#id7

> 
> ssl_cipher_list =
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AE
> S256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA25
> 6:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-
> ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
> RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE
> -ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES
> 128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA
> :AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES12
> 8-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:
> !RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB
> 5-DES-CBC3-SHA
> 
> ssl_client_ca_dir = /etc/postfix/tls/
> 
> ssl_client_ca_file = ChainBundle.pem
> 
> ssl_dh = # hidden, use -P to show it
> 
> ssl_key = # hidden, use -P to show it
> 
> ssl_prefer_server_ciphers = yes
> 
> userdb {
> 
>   driver = passwd
> 
> }
> 
> protocol imap {
> 
>   mail_max_userip_connections = 15
> 
> }
> 
> Any ideas?
> 
> Wayne Spivak
> 
> SBANETWEB.com
> 
> Links:
> ------
> [1] http://www.entrust.net/legal-terms

--
  Christian Kivalo

More information about the dovecot mailing list