• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Plese HELP - How To Install Comodo SSL For Postfix & Dovecot ?

9

9musashi

Basic Pleskian
Hello,
Beside PrivateKey file, I have 2 bundles of SSL files from Comodo and GogetSSL -

From Comodo:
mydomain.crt
mydomain.ca-bundle
Click to expand...
From GoGetSSL:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
my_domain.crt
Click to expand...

FYI I already installed the cert successfully on http level from Plesk UI. So its only for mail (SMTP, POP, IMAP) that I failed.

After I backup postfix_default.pem & ssl-cert-and-key.pem file I begin to install
For Postfix
cat PrivateKey mydomain.crt > postfix_default.pem
cp postfix_default.pem /etc/postfix/
Click to expand...

And for Dovecot
cp postfix_default.pem /etc/dovecot/private/ssl-cert-and-key.pem
Click to expand...

Restart mail
/usr/local/psa/admin/sbin/mailmng --restart-service
Click to expand...

And I only found that my mail client cannot connect to my mail server anymore. After some time I had received MailerDaemon error TLS not available due to local problem.

Transcript of session follows.

Out: 220 mydomain ESMTP Postfix
In: EHLO [192.168.1.100]
Out: 250-mydomain
Out: 250-PIPELINING
Out: 250-SIZE 51200000
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-AUTH CRAM-MD5 PLAIN LOGIN DIGEST-MD5
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: STARTTLS
Out: 454 4.7.0 TLS not available due to local problem

Session aborted, reason: lost connection
Click to expand...

Anybody could help me ???
 
Just to add my 2cents...
Make sure the certificate is in this order in the .pem file...

private.key
my_domain.crt
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt

That looks to be the order of the intermediate certificates - https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/620/0/
Notice I haven't included the USERTrust Root CA as this should not be sent to the client. When it is present you will receive "Chain Issues" when testing http at ssllabs.

Regards

Lloyd
 
Hello, after I create this thread I read my old step instructions when I install postfix dovecot without panel and it works !!!

These are my step , please correct me if this wrong:

First create ssl-bundle file
cat mydomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
Click to expand...

Then edit /etc/postfix/main.cf
smtpd_tls_cert_file = /root/ssl/mydomain.crt
smtpd_tls_key_file = /root/ssl/private.key
smtpd_tls_CAfile = /root/ssl/ssl-bundle.crt
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_session_cache_timeout = 3600s
Click to expand...

edit /etc/dovecot/dovecot.conf
ssl_cert = </root/ssl/mydomain.crt
ssl_key = </root/ssl/private.key
ssl_ca = </root/ssl/mydomain.crt
Click to expand...

service postfix restart
service dovecot restart
/usr/local/psa/admin/sbin/mailmng --restart-service

And now it works


My question -
1. Will Plesk overwrite my setting at main.cf & dovecot.conf in the future ?
2. Please correct me if I did something wrong with those steps

Thank you
 
Sennan said:
1. Will Plesk overwrite my setting at main.cf & dovecot.conf in the future ?
Click to expand...
You can check it by adding changes into main.cf or dovecot.conf, and then run /usr/local/psa/admin/sbin/mchk. If, after that, your changes are present in configs, then Plesk will not overwrite it.
 
IgorG said:
You can check it by adding changes into main.cf or dovecot.conf, and then run /usr/local/psa/admin/sbin/mchk. If, after that, your changes are present in configs, then Plesk will not overwrite it.
Click to expand...

Yes it replaced my setting at main.cf
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
Click to expand...

What I have to do to prevent that ? Use "chattr +i" command ? Or do you have better idea ? Thank you Igor
 
Lloyd_mcse said:
Just to add my 2cents...
Make sure the certificate is in this order in the .pem file...

private.key
my_domain.crt
COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt

That looks to be the order of the intermediate certificates - https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/620/0/
Notice I haven't included the USERTrust Root CA as this should not be sent to the client. When it is present you will receive "Chain Issues" when testing http at ssllabs.

Regards

Lloyd
Click to expand...

Hello Lloyd, I follow you instruction but its not working.
 
Did you do the same for the dovecot one /etc/dovecot/private/ssl-cert-and-key.pem and restarted them?

What errors are thrown in /var/log/maillog? /var/log/mail.err?

You don't have an empty directive...

smtpd_tls_CAfile =
Click to expand...

If you do remove it.
Let me know and I'll help get it working.

Regards

Lloyd

EDIT: Obviously Dovecot is easier as you can just create a snippet ...

/etc/dovecot/conf.d/10-my-ssl.conf

And add whatever paths you want and they won't be overwritten.
 
Last edited:
You must log in or register to reply here.

Similar threads

C
Resolved VPS - Mail Server 'Insufficient Space'
Replies
4
Views
881
Peter Debik
P
S
Question Lot of mails with topic : Postfix SMTP server
Replies
2
Views
883
spip
S
W
Resolved disable plaintext (PLAIN) authentication in imap/dovecot and smtp/postfix breaking webmail/roundcube
Replies
2
Views
6K
Wolfgang Reidlinger
W
G
Question Unable to send emails via phpmailler (codeigniter) smtp to hotmail.
Replies
2
Views
2K
Grepher76
G
M
Resolved Postfix Not Delivering to Local Mailbox
Replies
2
Views
4K
Matt Sonnentag
M
Back
Top