Resolved Problens with SSL/TLS certificate in client mail

[Luciano Sato]

I have problem with the certificate for web mails. The client mail shows invalid certificate message.

The server only gives preference to certificate Configured in "Home/Tools & Settings/SSL/TLS Certificates".

When I setup a SSL certificate in domain and email (using Let's Encrypt or Rapid SSL or Comodo), it does not work. The email client alerts for invalid certificate and shows the certificate configured on the "Home/Tools & Settings/SSL/TLS Certificates" not the certificate configured in the domain.

Would be some plesk bug?




OS ‪CentOS Linux 7.3.1611 (Core)‬
Product Plesk Onyx
Version 17.5.3 Update #12, last updated on July 8, 2017 11:18 AM

 

[UFHH01]

Hi Luciano Sato,

Would be some plesk bug?

No, this is not a Plesk - related bug. You are just missing depending additional configurations, if you host multiple domains/IPs on your server.

Previous examples are mentioned here:

=> #2
=> #11​

The serverwide settings to secure your eMail - server, is currently setup with ONE certificate, as you may see at:

=> HOME > Tools & Settings > SSL/TLS Certificates

( Option: => Certificate for securing mail )​

 

[Hans Huckebein]

I still struggle to get it working for 2 domains too. Thought there would be more support in plesk for this kind of operation but .. Anyway.
I found that the default is now dovecot for IMAP/POP3.
@UFHH01 are the links you mentioned #2/#11 are still valid or is there anything one should additionally care of.
Thx

Bernd

P.S. Should have said that I'm running a Debian.

 

[UFHH01]

Hi Hans Huckebein,

@UFHH01 are the links you mentioned #2/#11 are still valid or is there anything one should additionally care of.

You can still use the recommendations, as they are valid up to the current Plesk version and you shouldn't have any issues to adapt it to any Plesk - supported operating system. Pls. let me know if you experience issues/errors/problems, so that we are able to analyze the root cause together with you.

 

[Hans Huckebein]

Thanks.
Here is what is now in my master.cf file (the bold lines the ones I've added).
For better reading I'v put every option on a separate line. Before it was one line.

plesk-domain1.de-xx.xxx.xxx.xxx- unix - n n - - smtp
-o smtpd_tls_key_file=/etc/postfix/keys/domain1t.de.key
-o smtpd_tls_cert_file=/etc/postfix/keys/domain1.de.crt
-o smtp_bind_address=xx.xxx.xxx.xxx
-o smtp_bind_address6=
-o smtp_address_preference=ipv4
-o smtp_helo_name=domain1.de
-o myhostname=mail.domain1.de
plesk-domain2.de-xx.xxx.xxx.xxx- unix - n n - - smtp
-o smtpd_tls_key_file=/etc/postfix/keys/domain2.de.key
-o smtpd_tls_cert_file=/etc/postfix/keys/domain2.de.crt
-o smtp_bind_address=xx.xxx.xxx.xxx
-o smtp_bind_address6=
-o smtp_address_preference=ipv4
-o smtp_helo_name=domain2
-o myhostname=mail.domain2.de

submission inet n - - - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

after postfix reload I can see that for all
openssl s_client -CApath /etc/postfix/keys -starttls commands the postfix.pem file is used.

Are there further changes necessary to the main.cf file?

 

[UFHH01]

Hi Hans Huckebein,

openssl s_client -CApath /etc/postfix/keys -starttls commands the postfix.pem file is used.

... which is the expected result for your command!

If you desire to check the IP/domain specific setting, pls. use a command as for example:

openssl s_client -CApath /etc/postfix/keys -connect mail.YOUR-DOMAIN.COM:smtps

In addition, pls. use for example:

    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-DOMAIN.COM/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-DOMAIN.COM/cert.pem
    -o smtp_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-DOMAIN.COM/fullchain.pem

... if you use Let's Encrypt certificates for example.

 

[Hans Huckebein]

for "openssl s_client -CApath /etc/postfix/keys -connect mail.YOUR-DOMAIN.COM:smtps"
getservbyname failure for smtps

for the command
openssl s_client -CApath /etc/postfix/keys -starttls pop3 -crlf -connect mail.domain1.de:110
openssl s_client -CApath /etc/postfix/keys -starttls smtp -crlf -connect mail.domain1.de:25
openssl s_client -CApath /etc/postfix/keys -starttls imap -crlf -connect mail.domain1.de:143

I see a connections but it shows a certificate for mail.domain2.de instead of domain1.de

 

[UFHH01]

Hi Hans Huckebein,

pop3 and imap are configured over dovecot or imap-courier:

Pls. see the example post => #26​

 

[Hans Huckebein]

Mmh. A bit lost.
At the moment I have in /etc/dovecot/private a
- dovecot.pem (private key, cert, CA cert) and
- ssl-cert-and-key.pem (seems to be some default plesk one)

Q: Shall I put my config in /etc/dovecot/conf.d?
I didn't get the point with the number in #26
For every domain (in my case 2) do I have to provide
local mail.domain1.de { protocol imap, pop3, imaps, pop3s }
local imap.domain1.de { protocol imap, pop3, imaps, pop3s }
local pop3.domain1.de { protocol imap, pop3, imaps, pop3s }
and respectively for domain2?

For every protocol I configure where it finds cert/key/ca
Do I have to follow the naming convention 007-pop3-YOUR-DOMAIN.COM-CERT here?

protocol pop3s {
ssl_cert = </etc/dovecot/private/007-pop3-YOUR-DOMAIN.COM-CERT
ssl_key = </etc/dovecot/private/006-pop3-YOUR-DOMAIN.COM-KEY
ssl_ca = </etc/dovecot/private/001-ROOT-CA_and_Intermediate-CA-CERT
ssl = yes
}

Sry for all the questions. It more a task for experts not for beginners. But what shall I do if Plesk has no UI configurable solution.
Thanks a lot for your effort

Bernd

 

[UFHH01]

Hi Hans Huckebein,

(seems to be some default plesk one)

You are able to CHECK this at your "/etc/dovecot/dovecot.conf".

Q: Shall I put my config in /etc/dovecot/conf.d?

WHERE you put additional configuration, is totally up to you. Just make sure, that the path is included at your "dovecot.conf".

For every domain (in my case 2) do I have to provide
local mail.domain1.de { protocol imap, pop3, imaps, pop3s }
local imap.domain1.de { protocol imap, pop3, imaps, pop3s }
local pop3.domain1.de { protocol imap, pop3, imaps, pop3s }
and respectively for domain2?

The example shows only the setting for ONE domain. If you desire to configure additional domains, you would certainly use corresponding settings for each of them.

Do I have to follow the naming convention 007-pop3-YOUR-DOMAIN.COM-CERT here?

No... the example is just an EXAMPLE... how you name files is totally up to you.

 

[Hans Huckebein]

Okay. IMAP/POP3 are up and running.
Trying to connect to domain1.de with
openssl s_client -CApath /etc/postfix/keys -starttls smtp -crlf -connect domain1.de:25
connects but shows the certificate for domain2.de
report and master.cf follows
------------------ report ---------------------
CONNECTED(00000003)

depth=1 /C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=domain2
i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
// removed
-----END CERTIFICATE-----
subject=/CN=domain2.de
issuer=/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 3717 bytes and written 363 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE

SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: A63782CF6C0D05C0C385A40808AAEDE11A9E03A1E842B84FFF21B8AE11EF4D3E
Session-ID-ctx:
Master-Key: SomeMasterKey
Key-Arg : None
Start Time: 1501076188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 DSN

------------------ master.cf ---------------------
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: Postfix manual - master(5)).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
#submission inet n - - - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
cleanup unix n - - - 0 cleanup
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe flags=R user=list:list argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}


plesk_virtual unix - n n - - pipe flags=DORhu user=popuseropuser argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames
pickup fifo n - - 60 1 pickup
qmgr fifo n - n 1 1 qmgr
smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes

plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db



plesk-domain1.de-yy.yyy.yyy.yyy- unix - n n - - smtp
-o smtpd_tls_key_file=/etc/postfix/keys/domain1.de.key
-o smtpd_tls_cert_file=/etc/postfix/keys/domain1.de.crt
-o smtp_bind_address=yy.yyy.yyy.yyy
-o smtp_bind_address6=
-o smtp_address_preference=ipv4
-o smtp_helo_name=domain1.de
-o myhostname=mail.domain1.de
plesk-domain2.de-xx.xxx.xxx.xxx- unix - n n - - smtp
-o smtpd_tls_key_file=/etc/postfix/keys/domain2.de.key
-o smtpd_tls_cert_file=/etc/postfix/keys/domain2.de.crt
-o smtp_bind_address=xx.xxx.xxx.xxx
-o smtp_bind_address6=
-o smtp_address_preference=ipv4
-o smtp_helo_name=domain2.de
-o myhostname=mail.domain2.de


submission inet n - - - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

 

[UFHH01]

Hi Hans Huckebein,

here you go again with my EXAMPLE recommendations for your "master.cf":

# ======================================================================================
# Special hostname configurations to fit SMTP banner and certificates - port 25
# ======================================================================================
localhost:smtp inet n - - - - smtpd
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/cert.pem
    -o smtp_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/fullchain.pem
    -o smtp_helo_name=YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM
    -o myhostname=base.YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM
    -o cleanup_service_name=pre-cleanup
  
XXX.XXX.XXX.XXX(MAIN-IP-ON-YOUR-SERVER):smtp inet n - - - - smtpd
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/cert.pem
    -o smtp_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/fullchain.pem
    -o smtp_helo_name=YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM
    -o myhostname=mail.YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM
    -o cleanup_service_name=pre-cleanup
  
XXX.XXX.XXX.XXX(SECOND-IP-ON-YOUR-SERVER):smtp inet n - - - - smtpd
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM/cert.pem
    -o smtp_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM/fullchain.pem
    -o smtp_helo_name=YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM
    -o myhostname=mail.YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM
    -o cleanup_service_name=pre-cleanup
  
# ======================================================================================
# Special hostname configurations to fit SMTP banner and certificates - port 465
# ======================================================================================
localhost:smtps   inet n - - - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/cert.pem
    -o smtp_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/fullchain.pem
    -o smtp_helo_name=YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM
    -o myhostname=base.YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM
      
XXX.XXX.XXX.XXX(MAIN-IP-ON-YOUR-SERVER):smtps   inet n - - - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/cert.pem
    -o smtp_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/fullchain.pem
    -o smtp_helo_name=YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM
    -o myhostname=mail.YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM
  
XXX.XXX.XXX.XXX(SECOND-IP-ON-YOUR-SERVER):smtps   inet n - - - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM/cert.pem
    -o smtp_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM/fullchain.pem
    -o smtp_helo_name=YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM
    -o myhostname=mail.YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM
  
# ======================================================================================
# Special hostname configurations to fit SMTP banner and certificates - port 587
# ======================================================================================
localhost:submission inet n - - - - smtpd
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/cert.pem
    -o smtp_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/fullchain.pem
    -o smtpd_tls_dh1024_param_file=/etc/postfix/dhparam2048.pem
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtp_helo_name=YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM
    -o myhostname=mail.YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM

XXX.XXX.XXX.XXX(MAIN-IP-ON-YOUR-SERVER):submission inet n - - - - smtpd
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/cert.pem
    -o smtp_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/fullchain.pem
    -o smtpd_tls_dh1024_param_file=/etc/postfix/dhparam2048.pem
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtp_helo_name=YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM
    -o myhostname=mail.YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM

XXX.XXX.XXX.XXX(SECOND-IP-ON-YOUR-SERVER):submission inet n - - - - smtpd
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM/cert.pem
    -o smtp_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM/fullchain.pem
    -o smtpd_tls_dh1024_param_file=/etc/postfix/dhparam2048.pem
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtp_helo_name=YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM
    -o myhostname=mail.YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM

# ======================================================================================
# Special hostname configurations to fit SMTP banner and certificates - Plesk-modified
# ======================================================================================
plesk-YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM-XXX.XXX.XXX.XXX(MAIN-IP-ON-YOUR-SERVER)- unix - n n - - smtp
    -o smtpd_tls_dh1024_param_file=/etc/postfix/dhparam2048.pem
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/cert.pem
    -o smtpd_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM/cert.pem
    -o smtp_bind_address=XXX.XXX.XXX.XXX(MAIN-IPv4-ON-YOUR-SERVER)
    -o smtp_bind_address6=XXX.XXX.XXX.XXX(MAIN-IPv6-ON-YOUR-SERVER)  
    -o smtp_address_preference=ipv4
    -o smtp_helo_name=YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM
    -o myhostname=mail.YOUR-MAIN-DOMAIN-FOR-YOUR-MAIN-IP.COM
    -o cleanup_service_name=pre-cleanup

plesk-YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM-XXX.XXX.XXX.XXX(SECOND-IP-ON-YOUR-SERVER)- unix - n n - - smtp
    -o smtpd_tls_dh1024_param_file=/etc/postfix/dhparam2048.pem
    -o smtpd_enforce_tls=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM/cert.pem
    -o smtpd_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM/cert.pem
    -o smtp_bind_address=XXX.XXX.XXX.XXX(SECOND-IPv4-ON-YOUR-SERVER)
    -o smtp_bind_address6=XXX.XXX.XXX.XXX(SECOND-IPv6-ON-YOUR-SERVER)  
    -o smtp_address_preference=ipv4
    -o smtp_helo_name=YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM
    -o myhostname=mail.YOUR-MAIN-DOMAIN-FOR-YOUR-SECOND-IP.COM
    -o cleanup_service_name=pre-cleanup

 

[Hans Huckebein]

got fatal: bind 127.0.0.1 port 25: Address already in use with the configuration above.
if I out-comment all localhost settings and try it again I get the same error message for one the IP Adresses.

 

[UFHH01]

Hi Hans Huckebein,

got fatal: bind 127.0.0.1 port 25: Address already in use with the configuration above.
if I out-comment all localhost settings and try it again I get the same error message for one the IP Adresses.

Such issues appear, if you forgot to comment out earlier configurations, which interfere with your new configuration.

For example, you might have:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp       inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
...

on top of your "master.cf", which certainly doesn't work the expected way, if you don't comment out

...
smtp       inet  n       -       y       -       -       smtpd
...
submission inet n       -       y       -       -       smtpd
...
smtps     inet  n       -       y       -       -       smtpd
...

after you added the above ( additional ) suggestion, to fit your needs.



If you experience further issues/errors/problems, pls. don't forget to add YOUR "main.cf" + "master.cf" as attachments, so that people willing to help you have something to start with their investigations. It could help as well to add the lastest entries from your "mail.log", after you restarted postfix with your new configuration files!

 

[Hans Huckebein]

Many thanks and I'm getting closer
commented out the thing you suggested.
Results
tried openssl s_client -CApath /etc/postfix/keys -starttls smtp -crlf -connect ... // on port 25/465/587 with different results
port 25 CONNECTED(00000003) // with loads of information
port 465 CONNECTED(00000003) // nothing following
port 587 CONNECTED(00000003) // but
929:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/ssl/s23_clnt.c:618:

running systemctl status postfix it reported
Jul 30 16:49:58 h2231431.stratoserver.net postfix/cleanup[4808]: D2512741656: message-id=<[email protected]>
Jul 30 16:49:58 h2231431.stratoserver.net postfix/qmgr[4802]: D2512741656: from=<[email protected]>, size=1107, nrcpt=1 (queue active)
Jul 30 16:49:58 h2231431.stratoserver.net postfix/local[4810]: B5E1B741644: to=<[email protected]>, orig_to=<postmaster>, relay=local, delay=0.23, delays=0.11/0.01/0/0.1, dsn=2.0.0, status=sent (forwarded as D2512741656)
Jul 30 16:49:58 h2231431.stratoserver.net postfix/qmgr[4802]: B5E1B741644: removed
Jul 30 16:49:58 h2231431.stratoserver.net postfix-local[4812]: postfix-local: [email protected], [email protected], dirname=/var/qmail/mailnames
Jul 30 16:49:59 h2231431.stratoserver.net dk_check[4813]: Starting the dk_check filter...
Jul 30 16:49:59 h2231431.stratoserver.net dk_check[4813]: DKIM verify result: Message is not signed
Jul 30 16:49:59 h2231431.stratoserver.net dovecot[4816]: service=lda, [email protected], ip=[]. msgid=<[email protected]>: saved mail to INBOX
Jul 30 16:49:59 h2231431.stratoserver.net postfix/pipe[4811]: D2512741656: to=<[email protected]>, orig_to=<postmaster>, relay=plesk_virtual, delay=0.47, delays=0.1/0.01/0/0.35, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Jul 30 16:49:59 h2231431.stratoserver.net postfix/qmgr[4802]: D2512741656: removed

Don't know if it has something to do with it.
Attached main.cf and master.cf

 

[UFHH01]

Hi Hans Huckebein,

for the domain "berndrabe.de", you have the following issue:

subject= /CN=berndrabe.de
issuer= /C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2

Cert VALIDATION ERROR(S): unable to get local issuer certificate, certificate not trusted, unable to verify the first certificate

Suggestion: Pls. check again your certificates, as you missed to use the correct "Intermediate" certificate.


For the domain "das-rabennest.de" you have the following issue:

subject= /CN=www.das-rabennest.de
issuer= /C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2

Cert VALIDATION ERROR(S): unable to get local issuer certificate, certificate not trusted, unable to verify the first certificate

AND ( what is even worse! ), you can't secure a NON-WILDCARD certificate for the domain "www.das-rabennest.de" for the domain "mail.das-rabennest.de".
Suggestion: Pls. check again your certificates, as you missed to use the correct "Intermediate" certificate and pls. use a VALID certificate for your MAIL - domain.

 

[mr-wolf]

5 years ago I wrote this script that I'm still using from time to time.

Very easy to check a certificate:

Check certificate of a server

 

[Hans Huckebein]

Hi Hans Huckebein,

for the domain "berndrabe.de", you have the following issue:

Suggestion: Pls. check again your certificates, as you missed to use the correct "Intermediate" certificate.


For the domain "das-rabennest.de" you have the following issue:

AND ( what is even worse! ), you can't secure a NON-WILDCARD certificate for the domain "www.das-rabennest.de" for the domain "mail.das-rabennest.de".
Suggestion: Pls. check again your certificates, as you missed to use the correct "Intermediate" certificate and pls. use a VALID certificate for your MAIL - domain.

Corrected master.cf (myhostname) and the mistake in the "full-chain.pem". Works now.
Thanks a lot again for the effort