In general: Lots of mail servers out in the wild do not require TLS or even bother to verifying TLS certificates when connecting to a remote server on port 25.
However, desktop and mobile email *clients* tend to be much stricter about verifying server certificates when connecting via SSL or TLS, mainly to protect user passwords. Sometimes the server certificate needs to be presented with a "full chain" appended to it for verification. That has been an issue before when I've used some certs, particularly StartSSL before Letsencrypt started offering free certs. On February 8, 2022 5:53:34 AM AKST, Wayne Spivak <wspi...@sbanetweb.com> wrote: >Hi - > > > >I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418). > > > >I have a multi-signed cert from Entrust. > > > >The cert works fine on port 25. > > > >However, on Port 587 I get an error: c > > > >[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername >mcq.sbanetweb.com > >CONNECTED(00000003) > >depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = >mcq.sbanetweb.com > >verify error:num=20:unable to get local issuer certificate > >verify return:1 > >depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = >mcq.sbanetweb.com > >verify error:num=21:unable to verify the first certificate > >verify return:1 > >depth=0 C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = >mcq.sbanetweb.com > >verify return:1 > >--- > >Certificate chain > >0 s:C = US, ST = New York, L = Bellmore, O = SBA Consulting LTD, CN = >mcq.sbanetweb.com > > i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms ><http://www.entrust.net/legal-terms> , OU = "(c) 2012 Entrust, Inc. - for >authorized use only", CN = Entrust Certification Authority - L1K > > > > > >[root@mcq wbs]# dovecot -n > ># 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf > ># OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five) > ># Hostname: mcq.sbanetweb.com > >auth_mechanisms = plain login > >disable_plaintext_auth = no > >mbox_write_locks = fcntl > >namespace inbox { > > inbox = yes > > location = > > mailbox Drafts { > > special_use = \Drafts > > } > > mailbox Junk { > > special_use = \Junk > > } > > mailbox Sent { > > special_use = \Sent > > } > > mailbox "Sent Messages" { > > special_use = \Sent > > } > > mailbox Trash { > > special_use = \Trash > > } > > prefix = > >} > >passdb { > > driver = pam > >} > >protocols = imap > >service auth { > > unix_listener /var/spool/postfix/private/auth { > > group = postfix > > mode = 0666 > > user = postfix > > } > > unix_listener auth-userdb { > > group = postfix > > mode = 0666 > > user = postfix > > } > >} > >service imap-login { > > inet_listener imap { > > port = 143 > > } > > inet_listener imaps { > > port = 993 > > ssl = yes > > } > >} > >service submission-login { > > inet_listener submission { > > port = 587 > > } > >} > >ssl = required > >ssl_cert = </etc/postfix/tls/ServerCertificate.pem > >ssl_cipher_list = >ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-G >CM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AE >S128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA25 >6:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE- >ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES1 >28-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE >-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES12 >8-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNUL >L:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-D >ES-CBC3-SHA:!KRB5-DES-CBC3-SHA > >ssl_client_ca_dir = /etc/postfix/tls/ > >ssl_client_ca_file = ChainBundle.pem > >ssl_dh = # hidden, use -P to show it > >ssl_key = # hidden, use -P to show it > >ssl_prefer_server_ciphers = yes > >userdb { > > driver = passwd > >} > >protocol imap { > > mail_max_userip_connections = 15 > >} > > > >Any ideas? > > > >Wayne Spivak > >SBANETWEB.com > -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
