Wayne Spivak:
> Hi Wietse,
>
> It's been a very long time since we communicated.
>
> This from SSL Labs states "self-signed":
>
> Path #1: Not trusted (path does not chain to a trusted anchor)
> 1 Sent by server mcq.sbanetweb.com
> Fingerprint SHA256:
> 1b48d54fd173fa980ca0ba8e2bbb5aabce3bbb9faf67bae4f375816155699efe
> Pin SHA256: D9BrKzFpjkpGhv91bgkZqQIWlqPNIHPHmIhYYwDChGY=
> RSA 2048 bits (e 65537) / SHA256withRSA
> 2 Sent by server
> Not in trust store mcq.sbanetweb.com Self-signed
> Fingerprint SHA256:
> 1ff50fe2d898b639ee07e668b4a4acf5c3f878539a24be6edc3cc011991a9db3
> Pin SHA256: 2gJ7C4jfxgMQJMF09EznMu8UGd5sdBmQDyPrv5pIcHU=
> RSA 4096 bits (e 65537) / SHA256withRSA
>
> If it is an Intermediate, I refer to my orginal email, "where am I going
> wrong".
Are you sure that this test connected to port 25, not 443?
Wietse
> Wayne
>
> -----Original Message-----
> From: [email protected] <[email protected]> On
> Behalf Of Wietse Venema
> Sent: Wednesday, January 19, 2022 1:03 PM
> To: Wayne Spivak <[email protected]>
> Cc: [email protected]
> Subject: Re: TLS returning self-signed cert
>
> Wayne Spivak:
> > My Postfix Server 3.6.2 running on a newly created Fedora 35 is
> > returning self-signed SSL certs, where none were configured.
>
> Why do you believe that this is a self-signed certifcate?
>
> Isn't this an issue where the server returns a leaf certificate without
> intermediate certificates?
>
> Wietse
>
> > We're using a multi-cert Entrust certificate. All domains on the box
> > get email from one single mx domain.
> >
> > To be clear TLS works, but if I run SSL Labs report it comes back as
> > Not being Trusted.
> >
> > Running CheckTLS.com, this is the error
> >
> > Certificate #1 of 1 (sent by MX):
> > Cert VALIDATION ERROR(S): unable to get local issuer
> > certificate This may help: What Is An Intermediate Certificate
> > So email is encrypted but the recipient domain is not verified
> > ...
> > TLS successfully started on this server
> >
> > I have all files in the same directory, ServerCert.pem (from Entrust),
> > Bundle2.crt (from Entrust), CA-combines (private key/Server Cert).
> >
> > No other file is configured in either Dovecot 2.3.17.1 (476cd46418)
> > points to the same directory and files.
> >
> > The Cert serial number is coming back wrong using SSL Labs, but a web
> > site (on same server) returns the correct serial number (remember
> > everything points to the same files)
> >
> > I've confirmed the Cert is correct and the private key as well.
> >
> > I've tried changing the CAFile to include/not include Server
> > Certificate, Intermediate, Root, Private Key and either TLS dies, or
> > it "works", but the above error is obtained.
> >
> > I'm at a dead-end as far as researching the error goes.
> >
> > Where am I going wrong..
> >
> >
> >
> >
>
>
