I have tried to setup a my own web-server with mail server, (I am not a linux export just following some tutorials), webserver setup with Nginx,PHP-fpm and MySQL seems to be successful, then i moved on to the mail server setup with postfix and dovecot. This also seems to have install well.
When I checked with the old server TLS connection in telnet returns different reply than the new one. The old one says 18 self signed but new one says 21 first certificate unable verify.
Debug results:
The command that I run is for the original mail server which is working is
openssl s_client -connect mail.example.com:25 -starttls smtp
Reply is
verify return:1
---
Certificate chain
0 s:/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/emailAddress=info@parallels.com
i:/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/emailAddress=info@parallels.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDszCCApsCBFQW12QwDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYTAlVTMREw
DwYDVQQIEwhWaXJnaW5pYTEQMA4GA1UEBxMHSGVybmRvbjESMBAGA1UEChMJUGFy
YWxsZWxzMRgwFgYDVQQLEw9QYXJhbGxlbHMgUGFuZWwxGDAWBgNVBAMTD1BhcmFs
bGVscyBQYW5lbDEhMB8GCSqGSIb3DQEJARYSaW5mb0BwYXJhbGxlbHMuY29tMB4X
DTE0MDkxNTEyMTExNloXDTE1MDkxNTEyMTExNlowgZ0xCzAJBgNVBAYTAlVTMREw
DwYDVQQIEwhWaXJnaW5pYTEQMA4GA1UEBxMHSGVybmRvbjESMBAGA1UEChMJUGFy
YWxsZWxzMRgwFgYDVQQLEw9QYXJhbGxlbHMgUGFuZWwxGDAWBgNVBAMTD1BhcmFs
bGVscyBQYW5lbDEhMB8GCSqGSIb3DQEJARYSaW5mb0BwYXJhbGxlbHMuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAur6FGm1GYj98XradW+dIwWip
6wvBUk5ePdSFCqzGink7+2MRyq4iKn/65Pc/YeUlToI8txUYc14M017VtCmb6Wd2
ohA0QtsRVMvX7n70nmflUVAzwzdBwtCE3+25ql4dA4ixe5zwI0XIWeYfqEoRtpyu
1ebUFBd8pRvvR0jA75cx4BIEvIGFIiSYZ9cTIp+Q/gGBesI/HBadUS8aEMf+6nTX
+iFdjgHNO/uPupqp8uU24QFQzphghvpy1y079QuqrsYoQWOKKf4QG/xbeFiYUgbp
rtaF9OvKD2ugzwdAVBFtuzdg8/2fcjB9YFBipm0DZygrbM9OG5TA9dQyh84oVwID
AQABMA0GCSqGSIb3DQEBBQUAA4IBAQCtqyW6NGN3auoFEHKlcRHGP0GxAChhPMpB
NCUW+/ZHR4tXiiTI2xQcr1yfGmRkwipn9z+GAzL1bkkHpnOHSGAx+0G6CH645QkC
7YDqeRMnkCVrmYlJ73TB9WMczg8Zp/GxNU4lSSiYU+bthVOdbw0XHpnzhl02WckC
UZbJIXUI9V8NpWDq38R260Dxax4OOO3YVJ+pynqZMQjhUl7XMXLhT6o4GbmUHDtZ
jqgGti4M7YBPHY9l1nb9N2KZx9kgfS8i885DS5yhSjxMmeEfMMn3DIZlhc7lBEEX
N+btpue2vX+Q+gOAP/qEk8FqHxcyHquc89XGafuJ677LIEQlhOA1
-----END CERTIFICATE-----
subject=/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/emailAddress=info@parallels.com
issuer=/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/emailAddress=info@parallels.com
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1698 bytes and written 410 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 2E011BE0124FA920C50F8A3D69198EED28F37EB096F9D7F9BF22389B72DEC01E
Session-ID-ctx:
Master-Key: 2B8AB37BDC5D7A5DF441E9599C39F20783802DC5F3258C284617DA01513E58DB961F56F451F2592AAA97188D6E9726BE
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1427334041
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
250 DSN
The command that I run is for the original mail server which is working is
openssl s_client -connect localhost:25 -starttls smtp
reply is
CONNECTED(00000003)
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = dc-career, emailAddress = root@dc-career
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = dc-career, emailAddress = root@dc-career
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=dc-career/emailAddress=root@dc-career
i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=dc-career/emailAddress=root@dc-career
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID3jCCAsagAwIBAgICSkUwDQYJKoZIhvcNAQELBQAwgaMxCzAJBgNVBAYTAi0t
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
bml0MRIwEAYDVQQDDAlkYy1jYXJlZXIxHTAbBgkqhkiG9w0BCQEWDnJvb3RAZGMt
Y2FyZWVyMB4XDTE1MDMyNTA2MDQzN1oXDTE2MDMyNDA2MDQzN1owgaMxCzAJBgNV
BAYTAi0tMRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkw
FwYDVQQKDBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0
aW9uYWxVbml0MRIwEAYDVQQDDAlkYy1jYXJlZXIxHTAbBgkqhkiG9w0BCQEWDnJv
b3RAZGMtY2FyZWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4hcI
X+P16RbOp9eCFYN00Rw4sVFo/rtGAUJOVddGT43yJZ7oP94kED/kppQjrtTRIWE9
TJ1E+wOY5GAzkP2mGgoxwFZxRI5MCnJxhqieSIJKrduILKWUadWnfW/k6CKicrhv
tcYY6KVOq3THLpjyslblWenX7SRcMBQ1s5WDYT7f2dd9qgFFvE9l+NBHgeMvqZtc
KHF8nG6VVkOkYBnG4V6LlUppTKI1KYSPbbWrLfTuhamo1prlCn58DWcAjkyIBhmc
XYnlW0td8YiDaV7Gq28aefMOASjOXY0yWWSoKCACKagDnY01ZihMcLYfkhcKH7Hk
sN4wjbv8bAg2o99BFQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAN
BgkqhkiG9w0BAQsFAAOCAQEAUmQi8NMCsdqC85AVw5U0pkGW/VmWaA8mmmM2P+Gu
kzhCvx1wD3uoVqTC4lp9LDYR5Fk6BC929gYPz3J/WzaCjYtPAPvR0jXNPWy2Qq1C
MPavaMIkHwB0vgmM3AhxNSWohTVpJQTu+2niRpOMYMPtrVfgsGxbVsMrwPZpiBHH
xwR+syRCNWoe9T+TuaTV5uC9deQkuGiWNKCII34DMTtx/OIhxDIhDNRKqSgl/6Xg
nSrFnoZt2RA+XWBiuz3kK4F8Cs+9iOUvO3YG6a9u4B+I1o+KyoV68GWGnKafBP0p
gB6WYb2QUX1mwyj2Xg38HQao7zVhbShsg1XVnmRZU6yvng==
-----END CERTIFICATE-----
subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=dc-career/emailAddress=root@dc-career
issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=dc-career/emailAddress=root@dc-career
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1886 bytes and written 410 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 3B1E05F1518F27105F09F910C97E73847BEBA9BA98E479FE21CB8D827CA82F6D
Session-ID-ctx:
Master-Key: 34EC64A0AAE219BEBE181ED97692A0C5370F1B56FEE52B6E7B9A0E3480E26BFA243B06487FCA7B01ED5456BE9DC6E4E3
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 3600 (seconds)
TLS session ticket:
0000 - 32 34 a9 c9 aa 9d 86 67-93 3c ab 32 fe 9a c7 aa 24.....g.<.2....
0010 - 32 18 5d 0c 74 7f 4a 3b-17 3f 51 6e d0 ac b0 59 2.].t.J;.?Qn...Y
0020 - a1 c7 76 36 43 18 39 bc-0b e7 fb a0 67 e5 e3 db ..v6C.9.....g...
0030 - b7 50 c3 a2 cf cc 82 4c-b4 45 d8 96 d6 6f 2e 3d .P.....L.E...o.=
0040 - 36 46 45 94 f4 6e 9f 84-f2 49 9c 56 25 51 53 34 6FE..n...I.V%QS4
0050 - fb ab 8c 4b 16 04 f7 68-0c f3 c3 be 66 38 da ee ...K...h....f8..
0060 - b7 35 bf c1 5b c0 02 43-4b 55 5c 0c d2 7d 66 62 .5..[..CKU\..}fb
0070 - 78 9f a8 d0 f2 b9 52 e0-3f 92 52 90 8f 2a a7 04 x.....R.?.R..*..
0080 - a6 af 4a 6a b1 ce ff 6c-4e b5 f6 90 0d 4e 05 a8 ..Jj...lN....N..
0090 - e5 53 8a 58 fc 75 fa 97-06 78 49 95 41 96 5d 05 .S.X.u...xI.A.].
Start Time: 1427334340
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
250 DSN
Is there something wrong with the mail installation? If so how can fix this ?
Best Answer
yeah, i dont expect it to be same, just that why there is error in the second one, and how to fix it is the problem, i think my generation or assign to dovecot/posfix is wrong, becasue i dont knw how to use the CA into this installation, how do i use CA crts ? in postfix/dovecot ?
To use chain ssl certificate in postfix, you can refer to this docs.
That's it. You can concat both certificate and put it in
smtpd_tls_cert_file.The same 'concat' method can be applied to dovecot. See this docs and this mailing list entry.