Ssl – StartSSL.com SSL Class2 Certificate and Postfix

opensslpostfixsslssl-certificate

currently my Postfix 2.11 instance runs TLS on a GoDaddy SSL Certificate but as i would like to be able to access my server from smtp.example.com as well as imap.example.com, example.com or example.org i bought a cheap SSL Class2 Certificate at startssl.com website. But after updating Postfix configuration replacing the old Godaddy SSL Certificate by the new StartSSL.com SSL Class2 Certificate, email desktop clients complain about the smtp.example.com not being the Common Name example.com.

I've configured `nginx and everything seems to work fine when accessing to any of the following example names and example alternative names: 

example.com
imap.example.com
smtp.example.com
mail.example.com
*.example.com
example.org
imap.example.org
smtp.example.org
mail.example.org
*.example.org

On Postfix i have the following configuration for Godaddy Certificate:

smtpd_tls_cert_file=/etc/ssl/certs/example.crt
smtpd_tls_key_file=/etc/ssl/private/example.key
smtp_tls_CAfile=/etc/ssl/certs/sf_bundle.crt
smtp_tls_CApath=/etc/ssl/certs

For StartSSL.com Class2 Certificate i tried the following setup combinations without luck:

Combination1

smtpd_tls_cert_file=/etc/ssl/certs/example.crt
smtpd_tls_key_file=/etc/ssl/private/example.key
smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
smtp_tls_CApath=/etc/ssl/certs

Combination2
cat example.crt sub.class2.server.ca.pem >> mycert.crt

smtpd_tls_cert_file=/etc/ssl/certs/mycert.crt
smtpd_tls_key_file=/etc/ssl/private/example.key
smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
smtp_tls_CApath=/etc/ssl/certs

Combination3
cat example.crt sub.class2.server.ca.pem >> /etc/ssl/certs/ca-certificates.crt

smtpd_tls_cert_file=/etc/ssl/certs/example.crt
smtpd_tls_key_file=/etc/ssl/private/example.key
smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
smtp_tls_CApath=/etc/ssl/certs

As i see, the main issue come because clients can't see the alternative names which are located under x509v3 but HTTP browsers like chrome or Firefox do.

Best Answer

Finally i got startssl.com class 2 SSL Certificate working with Postfix 2.11, so my current configuration works fine for multiple domains and subdomains.

Here's the working configuration just in case anyone needs it.

Postfix /etc/postfix/main.cf

smtpd_tls_cert_file=/etc/ssl/certs/class2.webeloping_es.pem
smtpd_tls_key_file=/etc/ssl/private/class2.webeloping_es.key
## This file was download from startssl.com
smtp_tls_CAfile=/etc/ssl/certs/startssl_ca-bundle.pem
smtp_tls_CApath=/etc/ssl/certs

Courier Imap /etc/courier/imapd-ssl

$ cat /root/SSL/startssl.com/class2.webeloping_es.crt /root/SSL/startssl.com/class2.webeloping_es.key >> /etc/ssl/private/startssl-crt_key.pem 

TLS_CERTFILE=/etc/ssl/private/startssl-crt_key.pem
TLS_TRUSTCERTS=/etc/ssl/certs/startssl_ca-bundle.pem
Related Topic