I have an issue with my mail server running a postfix/dovecot setup, essentially when I run the various security tests I get told that my certificates can't be validated, see here: https://ssl-tools.net/mailservers/brailsford.xyz
The certificates and related files I have available (which are valid as per https://brailsford.xyz) are:
- AddTrustExternalCARoot.crt
- brailsford_xyz.crt
- COMODORSAAddTrustCA.crt
- COMODORSADomainValidationSecureServerCA.crt
I also have my key file for the crt, brailsford_xyz.key
My setup in postfix is:
smtpd_tls_cert_file=/etc/ssl/certs/postfixchain.crt
smtpd_tls_key_file=/etc/ssl/private/brailsford.key
smtpd_tls_CAfile=/etc/ssl/certs/COMODORSADomainValidationSecureServerCA.crt
smtpd_use_tls=yes
The postfix chain is a combination of three of the certs from earlier, in the following order:
- brailsford_xyz.crt
- COMODORSADomainValidationSecureServerCA.crt
- AddTrustExternalCARoot.crt
Can anyone advise as to what I'm doing wrong and how I can rectify it?
Best Answer
It seems your SSL certificate chain is not complete (or rather missing a link). Look at what
openssl s_client
returns when I connect to your mail server:As you can see there is a certificate with issuer (
i
) of "/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority" but the chain does not contain a certificate issued to that subject by a trusted CA (or a further intermediate CA).As far as I can tell you are missing at least this certificate (as the third link in your chain): https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/966/108/intermediate-1-sha-2-comodo-rsa-certification-authority
That is serial number 27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22 and
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority