Getting the SSL to work with postfix and dovcot

@dreamdare:

Hi Guys,

I bought a positive SSL (COMODO) for my mailserver and added the files to the right location following the instructions in Linode Library.

My main.cf in postfix now has:

smtpdtlscertfile= /etc/ssl/localcerts/wwwdreamdare_org.crt

smtpdtlskey_file= /etc/ssl/localcerts/www.dreamdare.org.key

smtpdtlsCAfile = /etc/ssl/localcerts/PositiveSSLCA2.crt

and 10-ssl.conf in dovcot has

sslcert = sslkey = www.dreamdare.org.key

ssl_ca =

But my mail client stil shows the not verified message. I have also restarted dovcot and postifix as well. What am i missing here? I'm running Ubuntu 12.04.

Thanks in advance,

Chris

it seems that there is something wrong in the certificate.

who signed the certificate?

It's working fine for me, have you restarted your mail client?

Hi guys,

The signin request was generated by me and the certificate is a Comodo Positive SSL from cheapSSL. I've restarted the email client and no luck.:(

You can try viewing the certificate using:

openssl s_client -connect host:port

What port is your mail client connecting to? You didn't mention if you were using POP or IMAP with dovecot.

Secure POP3 should be on 995 and secure IMAP should be on 993. Don't forget to change host:port to the right combination for your server.

For SSL and TLS to work with SMTP when mail is delivered to your server by another system, the name returned in the MX record needs to be in Subject or Subject Alternative Names of the certificate. Likewise, for clients (your local MUA which gets mail via POP3/IMAP and delivers mail you send via SMTP on your server) the name you specify in the MUA's configuration needs to match one of the names in the certificate.

So, you either need to add additional Subject Alternative Names for the all the names you use to refer to that server, or you need to change all of the places you refer to the server by name to use a name that's in Subject Alternative Names. At the moment the Subject Alternative Names in your certificate include only the bare domain and the www hostname.

-James

Edit: Forgot to mention the third option - a wildcard certificate would work as well since that covers every possible hostname under your domain.

@The Other Air Force:

You can try viewing the certificate using:

openssl s_client -connect host:port

What port is your mail client connecting to? You didn't mention if you were using POP or IMAP with dovecot.

Secure POP3 should be on 995 and secure IMAP should be on 993. Don't forget to change host:port to the right combination for your server.

I'm using IMAP and the port is 993.

@James: To use the Subject Alternative Names, would i have to generate another request and get another certificate or there is a way to fix this one?

You'd need to generate a new CSR and have it signed by the issuer again. None of the information in a certificate can be changed without getting it signed again.

-James

I see. but how is it that i can't even get this one to work? for the domain which it was intended.

I noticed that in the CSR, it says: CN=www.dreamdare.org

I use mail.dreamdare.org in my client, is this what causing the problem for this specific domain?

Thanks :)

Yes, mismatched names will always cause a problem. Any of the following will fix that:

* Generate a new CSR with mail.dreamdare.org in the SAN section and get it signed

• Get a wildcard certificate for *.dreamdare.org (and a SAN of dreamdare.org)

• Get a new certificate for mail.dreamdare.org

• Tell your mail client that the server's name is www.dreamdare.org & edit your MX record to use www.dreamdare.org as well

Also, when I went digging a little deeper I noticed that you are not serving the intermediate (or chain) certificate that connects your certificate to the trusted root certificate which everyone has installed. After a little searching I wasn't able to find the intermediate certificate you need, but the company that signed your certificate should be able to provide it to you. Without that certificate, the verification chain is broken so your certificate cannot be validated.

-James

Thanks James, I added www.dreamdare.org to the MX records and set the client to the same as it's working fine now without any warnings.

As for the root certificate, it's there, it's in another directory.

One last thing, could i add www.dreamdare.org as MX records to other domains and use this mailserver? For example, if i have a admin@domain.com with MX record of www.dreamdare.org priority 0, would it work without warnings?

Thanks again

Yes. You can use www.dreamdare.org as the MX of any domain you're willing to accept mail for. Unless you get another certificate, however, clients will also need to use www.dreamdare.org as the name for POP3/IMAP and SMTP servers for the certificate to be verified.

You might want to remove the MX record you have pointing to mail.dreamdare.org now, though, as that name won't be able to be verified with the current certificate. Most systems sending you mail won't care since it's got a lower priority, but if your mail server starts dropping connections (or a non-compliant system decides to use the wrong MX record) mail may bounce due to the SSL/TLS verification issue that that name.

-James

The cert is also valid for dreamdare.org so they can use it without the www. Just a note.

Thanks guys, I really appreciate the help. All is good now:)