Plese HELP - How To Install Comodo SSL For Postfix & Dovecot ?

[9musashi]

Hello,
Beside PrivateKey file, I have 2 bundles of SSL files from Comodo and GogetSSL -

From Comodo:
mydomain.crt
mydomain.ca-bundle

From GoGetSSL:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
my_domain.crt

FYI I already installed the cert successfully on http level from Plesk UI. So its only for mail (SMTP, POP, IMAP) that I failed.

After I backup postfix_default.pem & ssl-cert-and-key.pem file I begin to install

For Postfix
cat PrivateKey mydomain.crt > postfix_default.pem
cp postfix_default.pem /etc/postfix/

And for Dovecot
cp postfix_default.pem /etc/dovecot/private/ssl-cert-and-key.pem

Restart mail

/usr/local/psa/admin/sbin/mailmng --restart-service

And I only found that my mail client cannot connect to my mail server anymore. After some time I had received MailerDaemon error TLS not available due to local problem.

Transcript of session follows.

Out: 220 mydomain ESMTP Postfix
In: EHLO [192.168.1.100]
Out: 250-mydomain
Out: 250-PIPELINING
Out: 250-SIZE 51200000
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-AUTH CRAM-MD5 PLAIN LOGIN DIGEST-MD5
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: STARTTLS
Out: 454 4.7.0 TLS not available due to local problem

Session aborted, reason: lost connection

Anybody could help me ???

 

[IgorG]

I would suggest you check this article - https://kb.plesk.com/en/122364

 

[IgorG]

And this thread - https://talk.plesk.com/threads/gmail-error-454-4-7-0-tls-not-available-due-to-local-problem.306872/

 

[Lloyd_mcse]

Just to add my 2cents...
Make sure the certificate is in this order in the .pem file...

private.key
my_domain.crt
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt

That looks to be the order of the intermediate certificates - https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/620/0/
Notice I haven't included the USERTrust Root CA as this should not be sent to the client. When it is present you will receive "Chain Issues" when testing http at ssllabs.

Regards

Lloyd

 

[9musashi]

Hello, after I create this thread I read my old step instructions when I install postfix dovecot without panel and it works !!!

These are my step , please correct me if this wrong:

First create ssl-bundle file

cat mydomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

Then edit /etc/postfix/main.cf

smtpd_tls_cert_file = /root/ssl/mydomain.crt
smtpd_tls_key_file = /root/ssl/private.key
smtpd_tls_CAfile = /root/ssl/ssl-bundle.crt
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_session_cache_timeout = 3600s

edit /etc/dovecot/dovecot.conf

ssl_cert = </root/ssl/mydomain.crt
ssl_key = </root/ssl/private.key
ssl_ca = </root/ssl/mydomain.crt

service postfix restart
service dovecot restart
/usr/local/psa/admin/sbin/mailmng --restart-service

And now it works


My question -
1. Will Plesk overwrite my setting at main.cf & dovecot.conf in the future ?
2. Please correct me if I did something wrong with those steps

Thank you

 

[IgorG]

1. Will Plesk overwrite my setting at main.cf & dovecot.conf in the future ?

You can check it by adding changes into main.cf or dovecot.conf, and then run /usr/local/psa/admin/sbin/mchk. If, after that, your changes are present in configs, then Plesk will not overwrite it.

 

[9musashi]

You can check it by adding changes into main.cf or dovecot.conf, and then run /usr/local/psa/admin/sbin/mchk. If, after that, your changes are present in configs, then Plesk will not overwrite it.

Yes it replaced my setting at main.cf

smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file

What I have to do to prevent that ? Use "chattr +i" command ? Or do you have better idea ? Thank you Igor

 

[9musashi]

Just to add my 2cents...
Make sure the certificate is in this order in the .pem file...

private.key
my_domain.crt
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt

That looks to be the order of the intermediate certificates - https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/620/0/
Notice I haven't included the USERTrust Root CA as this should not be sent to the client. When it is present you will receive "Chain Issues" when testing http at ssllabs.

Regards

Lloyd

Hello Lloyd, I follow you instruction but its not working.

 

[Lloyd_mcse]

Did you do the same for the dovecot one /etc/dovecot/private/ssl-cert-and-key.pem and restarted them?

What errors are thrown in /var/log/maillog? /var/log/mail.err?

You don't have an empty directive...

smtpd_tls_CAfile =

If you do remove it.
Let me know and I'll help get it working.

Regards

Lloyd

EDIT: Obviously Dovecot is easier as you can just create a snippet ...

/etc/dovecot/conf.d/10-my-ssl.conf

And add whatever paths you want and they won't be overwritten.