Postfix / Dovecot Cert Error

[Ares]

My Postfix / Dovecot certificates are somehow not configured correctly. I think the CA-cert is missing, but I'm not 100% sure how to fix this. The certificates on the website are working fine btw.

Android Error Message (Mail with SSL/TLS): java.security.cert.certpathvalidatorexception
Thunderbird Error Message (Mail with SSL/TLS):
Wrong Site: Certificate belongs to a different site, which could indicate an identity theft.
Unknown Identity: Certificate is not trusted, because it hasn't been verified by recognized authority.
Thunderbird -> View Certificate

user@server:/usr/share$ openssl s_client -showcerts -connect mail.domain.tld:995
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.domain.tld
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.domain.tld
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.domain.tld
verify error:num=21:unable to verify the first certificate
verify return:1

I put my key / cert in the following files:
/etc/postfix/postfix_default.pem
/etc/dovecot/private/ssl-cert-and-key.pem

The certificate is a Comodo PositiveSSL if this matters.

 

[UFHH01]

Hi Ares,

please be informed, that you have to tell openssl, where it should look for verification, if the certificates are not installed with standard locations:

openssl s_client -connect mail.domain.tld:25 -starttls smtp -CApath /etc/ssl/certs

regarding to these errors:

verify error:num=20:unable to get local issuer certificate

verify error:num=27:certificate not trusted

verify error:num=21:unable to verify the first certificate

Unknown Identity: Certificate is not trusted, because it hasn't been verified by recognized authority.

​

Another reason, why your configuration will result with issues/failures/errors, is the fact, that "www.domain.tld" is not the same as "mail.domain.tld". That's why you see:

Wrong Site: Certificate belongs to a different site, which could indicate an identity theft.

 

[Ares]

please be informed, that you have to tell openssl, where it should look for verification, if the certificates are not installed with standard locations

All right, but apart from that: What files do I have to modify/create (usually) for the SSL connection to work correctly? Here it says I just have to edit the files I mentioned above. What are the "standard locations"?

Another reason, why your configuration will result with issues/failures/errors, is the fact, that "www.domain.tld" is not the same as "mail.domain.tld"

Yea, I thought that. I'll fix that later.

 

[UFHH01]

Hi Ares,

All right, but apart from that: What files do I have to modify/create (usually) for the SSL connection to work correctly? Here it says I just have to edit the files I mentioned above. What are the "standard locations"?

You found the correct KB - article, but you missed maybe for example to merge the four certificates you got from Comodo, as described at the part:

Additional Information:

/var/qmail/control/servercert.pem should include:

1. The Private Key
2. The primary certificate
3. The intermediate certificate
4. The root certificate

Make sure you include the begin and end tags of the key and each certificate, including the dash lines. The resulting text should look like:

-----BEGIN RSA PRIVATE KEY-----
..........
(Your Private Key here)
..........
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
..........
(Your Primary SSL certificate here)
..........
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
..........
(Your Intermediate certificate here)
..........
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
..........
(Your Root certificate here)
..........
-----END CERTIFICATE-----

In your case, you use postfix, so please merge the four Comodo - files into "/etc/postfix/postfix_default.pem" ( OR any other newly created file - you just have to change your settings at "main.cf" then! ) for postfix and for dovecot you have to merge the four Comodo files into "/etc/dovecot/private/ssl-cert-and-key.pem" ( ( OR any other newly created file - you just have to change your settings at "dovecot.conf" then! )

As a reference, please use the official documentation from Comodo:

Email Certificate Installation in Postfix ( external link, please inform me if the link goes dead, so I can provide another link )​

And for dovecot, you could use as an example:

# PEM encoded X.509 SSL/TLS certificate and private key.
#ssl_cert = </etc/dovecot/private/ssl-cert-and-key.pem
#ssl_key =  </etc/dovecot/private/ssl-cert-and-key.pem

ssl_cert = </etc/dovecot/private/Comodo-yourdomain.crt
ssl_key = </etc/dovecot/private/Comodo-yourdomain.key
ssl_ca = </etc/dovecot/private/Comodo-ca.txt

... and again:

ssl_cert => yourdomain.crt
ssl_key => yourdomain.key
ssl_ca => ca.txt (bundle file)​

... like you already configured the certificates for postfix, with the official Comodo documentation.


If you experience any certificate issues after following the official Comodo documentation, please start over again ( step-by-step, like described in the documentation, please! ), because we could only help you by posting the same step-by-step recommendation, as provided by Comodo.

If you still experience certificate issues after all, you might consider to open a "per-incident" - support ticket at Odin Support, so that experienced server administrators will fix your issue(s) directly on your server.

 

[Ares]

I think that's fixed now. Do you maybe know if it's possible to change the standard imap.domain.tld and smtp.domain.tld subdomains to domain.tld or are they essential for the mail service to work? Otherwise I'll probably need a wildcard cert.

 

[Arno T]

I've used the following to get it fixed and tested, I'm using Plesk 12.5.30mu48

Postfix
To create Postfix-cacerts.pem in my case:

# cat postfix-cert.pem COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > postfix-cacerts.pem

(To be precise, my own cert first, then COMODORSADomainValidationSecureServerCA.crt and then COMODORSAAddTrustCA.crt)

# /etc/postfix/main.conf
smtpd_tls_cert_file = /usr/local/etc/ssl/postfix-cert.pem
smtpd_tls_key_file = /usr/local/etc/ssl/postfix-key.pem
smtpd_tls_CAfile = /usr/local/etc/ssl/postfix-cacerts.pem
smtpd_tls_mandatory_ciphers = high

OpenSSL test commands

openssl s_client -CApath /etc/ssl/certs -CAfile /etc/ssl/certs/ca-bundle.crt -cert ./postfix-cert.pem -key ./postfix-key.pem -connect smtp.foobar.com:25 -starttls smtp

Mind the CAfile, name can be different.


Dovecot

# /etc/dovecot/conf.d/5-custom-ssl.conf
# for debugging
verbose_ssl = yes

ssl = yes
# Path to your Certificate, preferred permissions: root:root 0444
ssl_cert = </usr/local/etc/ssl/dovecot-cert.pem

# Path to your Private Key, preferred permissions: root:root 0400
ssl_key = </usr/local/etc/ssl/dovecot-key.pem

# Path to your CA file,
ssl_ca = </usr/local/etc/ssl/comodo-positiveSSL/AddTrustExternalCARoot.crt
ssl_ca = </usr/local/etc/ssl/comodo-positiveSSL/COMODORSAAddTrustCA.crt
ssl_ca = </usr/local/etc/ssl/comodo-positiveSSL/COMODORSADomainValidationSecureServerCA.crt

ssl_verify_client_cert = yes
auth_ssl_require_client_cert = yes
# #auth_ssl_username_from_cert = yes

openssl s_client -CApath /etc/ssl/certs -CAfile /etc/ssl/certs/ca-bundle.crt -cert ./postfix-cert.pem -key ./postfix-key.pem -connect smtp.foobar.com:110 -starttls pop
openssl s_client -CApath /etc/ssl/certs -CAfile /etc/ssl/certs/ca-bundle.crt -cert ./postfix-cert.pem -key ./postfix-key.pem -connect smtp.foobar.com:143 -starttls imap

Mind the CAfile, name can be different.

 

[nariya]

I can suggest you a post which helped me to get out this issue, You can get that on howtoseeks.com hope it will work for you.