Hi,
I think I'm having a problem with my certificate for submission not being
configured properly. I'm trying to install roundcube but having a problem
with properly configuring the cert for submission, but when using openssl
to check, it reports a cert problem. This is a cert from Digicert.
openssl s_client -starttls smtp -connect mail.example.com:587
CONNECTED(00000003)
depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN =
mail.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN =
mail.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN =
mail.example.com
verify return:1
Certificate chain
0 s:C = US, ST = Arizona, L = Example, O = Example Inc, CN =
mail.example.com
i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Feb 14 00:00:00 2023 GMT; NotAfter: Jan 31 23:59:59 2024 GMT
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
Regular email client users have no problem, but it still looks like
something is missing.
When going through the roundcube config process, it fails to connect for
what also looks like a cert problem. This is from "smtpd -v" output:
Oct 5 15:49:21 cipher postfix/submission/smtpd[1509791]: TLS SNI
cipher.example.com from cipher.example.com[209.216.111.60] not matched,
using default chain
Oct 5 16:04:56 cipher postfix/submission/smtpd[1524779]: SSL_accept error
from cipher.example.com[209.216.111.60]: -1
Oct 5 16:04:56 cipher postfix/submission/smtpd[1524779]: warning: TLS
library problem: error:0A000418:SSL routines::tlsv1 alert unknown
ca:ssl/record/rec_layer_s3.c:1586:SSL alert number 48:
I'm also using tls_server_sni_maps to support multiple domains. I've also
tried concatenating the digicert crt file and the DigiCertCA.crt to create
the mail.example.com-2023.crt chain file below.
$ postconf -n |grep tls
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_security_level = may
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_chain_files =
/var/www/mail.example.com-443/ssl/mail.example.com-2023.key,
/var/www/mail.example.com-443/ssl/mail.example.com-2023.crt
smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
/etc/postfix/vmail_ssl.map:
clients.example1.com /etc/letsencrypt/privkey.pem
/etc/letsencrypt/fullchain.cer
mail.example.com
/var/www/mail.example.com-443/ssl/mail.example.com-2023.key
/var/www/mail.example.com-443/ssl/mail.example.com-2023.crt
$ ls -l *vmail*
-rw-r--r-- 1 root root 468 May 14 10:53 vmail_ssl.map
-rw-r--r-- 1 root root 36864 Aug 7 06:18 vmail_ssl.map.db
$ postconf -fM
...
submission inet n - n - - smtpd -v
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o receive_override_options=$submission_overrides
-o smtp_tls_mandatory_protocols=TLSv1
-o syslog_name=postfix/submission
I've also tried using "localhost" and "mail.example.com" and the actual
hostname in the roundcube config:
$config['smtp_host'] = 'tls://cipher.example.com:587';
Thank you so much for any ideas.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
