Hi, I think I'm having a problem with my certificate for submission not being configured properly. I'm trying to install roundcube but having a problem with properly configuring the cert for submission, but when using openssl to check, it reports a cert problem. This is a cert from Digicert.
openssl s_client -starttls smtp -connect mail.example.com:587 CONNECTED(00000003) depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN = mail.example.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN = mail.example.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN = mail.example.com verify return:1 Certificate chain 0 s:C = US, ST = Arizona, L = Example, O = Example Inc, CN = mail.example.com i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Feb 14 00:00:00 2023 GMT; NotAfter: Jan 31 23:59:59 2024 GMT --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) Regular email client users have no problem, but it still looks like something is missing. When going through the roundcube config process, it fails to connect for what also looks like a cert problem. This is from "smtpd -v" output: Oct 5 15:49:21 cipher postfix/submission/smtpd[1509791]: TLS SNI cipher.example.com from cipher.example.com[209.216.111.60] not matched, using default chain Oct 5 16:04:56 cipher postfix/submission/smtpd[1524779]: SSL_accept error from cipher.example.com[209.216.111.60]: -1 Oct 5 16:04:56 cipher postfix/submission/smtpd[1524779]: warning: TLS library problem: error:0A000418:SSL routines::tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:1586:SSL alert number 48: I'm also using tls_server_sni_maps to support multiple domains. I've also tried concatenating the digicert crt file and the DigiCertCA.crt to create the mail.example.com-2023.crt chain file below. $ postconf -n |grep tls smtp_tls_loglevel = 1 smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_note_starttls_offer = yes smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_security_level = may smtpd_sasl_tls_security_options = noanonymous smtpd_tls_auth_only = yes smtpd_tls_chain_files = /var/www/mail.example.com-443/ssl/mail.example.com-2023.key, /var/www/mail.example.com-443/ssl/mail.example.com-2023.crt smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_received_header = yes smtpd_tls_security_level = may tls_preempt_cipherlist = yes tls_random_source = dev:/dev/urandom tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map /etc/postfix/vmail_ssl.map: clients.example1.com /etc/letsencrypt/privkey.pem /etc/letsencrypt/fullchain.cer mail.example.com /var/www/mail.example.com-443/ssl/mail.example.com-2023.key /var/www/mail.example.com-443/ssl/mail.example.com-2023.crt $ ls -l *vmail* -rw-r--r-- 1 root root 468 May 14 10:53 vmail_ssl.map -rw-r--r-- 1 root root 36864 Aug 7 06:18 vmail_ssl.map.db $ postconf -fM ... submission inet n - n - - smtpd -v -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o receive_override_options=$submission_overrides -o smtp_tls_mandatory_protocols=TLSv1 -o syslog_name=postfix/submission I've also tried using "localhost" and "mail.example.com" and the actual hostname in the roundcube config: $config['smtp_host'] = 'tls://cipher.example.com:587'; Thank you so much for any ideas.
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org