Hello
I have little problem to bring my TLS with Postfix running, if check the
result on Checktls.com i have Cert Fail,
Here i have a lot of my configuration settings, need little help to finish
this integration.
Debian 9, Postfix Version = 3.1.14, Dovecot 2.2.27 (c0f36b0), OpenSSL 1.1.1g
21 Apr 2020
Certificate 1 of 2 in chain: Cert VALIDATION ERROR(S): self signed
certificate in certificate chain
So email is encrypted but the recipient domain is not verified
Cert Hostname VERIFIED (nmail.caloro.ch = nmail.caloro.ch)
Not Valid Before: Jun 8 19:09:45 2020 GMT
Not Valid After: Jun 8 19:09:45 2021 GMT
subject= /C=CH/ST=Luzern/O=Caloro/OU=IT/CN=nmail.caloro.ch
issuer= /C=CH/ST=Luzern/L=Meierskappel/O=Caloro/OU=IT/CN=nmail.caloro.ch
Certificate 2 of 2 in chain: Cert VALIDATION ERROR(S): self signed
certificate in certificate chain
So email is encrypted but the recipient domain is not verified
Main.CF
# SMTP from your server to others
smtp_tls_key_file = /etc/ssl/test/key.caloro.key
smtp_tls_cert_file = /etc/ssl/test/crt.caloro.crt
smtp_tls_CAfile = /etc/ssl/test/CaCert.pem
smtp_use_tls = no
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols=!SSLv2,!SSLv3,!TLSv1
smtp_tls_loglevel = 1
smtp_tls_session_cache_database =
btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5,
DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256,
RSA+AES, RC4, eNULL
# SMTP from other servers to yours
smtpd_tls_key_file = /etc/ssl/test/key.caloro.key
smtpd_tls_cert_file = /etc/ssl/test/crt.caloro.crt
smtpd_tls_CAfile = /etc/ssl/test/CaCert.pem
smtp_use_tls = no
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5,
DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256,
RSA+AES, RC4, eNULL
# TLS configuration ends here
Dovecot.conf
ssl_cert = </etc/ssl/test/crt.caloro.crt
ssl_key = </etc/ssl/test/key.caloro.key
openssl creating Key ans sign
openssl genrsa -des3 -out key.caloro.key 4096
openssl req -new -key key.caloro.key -out csr.caloro.csr
openssl x509 -req -days 365 -in csr.caloro.csr -signkey key.caloro.key -out
crt.caloro.crt
openssl rsa -in key.caloro.key -out key.caloro.key.nopass
mv key.caloro.key.nopass key.caloro.key
openssl req -new -x509 -extensions v3_ca -keyout CaKey.pem -out CaCert.pem
-days 3650
openssl ca -in csr.caloro.csr -out crt.caloro.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/test/CaKey.pem:
Check that the request matches the signature
Signature ok
Certificate is to be certified until Jun 8 19:09:45 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@mail:/etc/ssl/test# openssl ca -in csr.caloro.csr -out crt.caloro.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/test/CaKey.pem:
Check that the request matches the signature
Signature ok
The matching entry has the following details
Type :Valid
Expires on :210608190945Z
Serial Number :01
File name :unknown
Subject Name
:/C=CH/ST=Luzern/O=Caloro/OU=IT/CN=nmail.caloro.ch/emailAddress=maurizio@cal
oro.ch
