1

I've setup a personal mail server using postfix, postfix-saslauth, courier (mysqlauthd, imap, pop) plus some well practices like SPF, DKIM and DMARC.

This set up has been working fine for the last 10 years and today, for first time, I've tried to add access one of those accounts through GMail which requires a working POP3 service. I could sucessfully add the account through POP3 service (no security and/or encription) on port 110.

The problem arises when I try to configure GMail to access the account through POP3 service on 995 port,using security. When doing so I get the following error from GMAIL:

SSL error: No path found from the leaf certificate to any root. Maybe an intermediate certificate is missing

I've downloaded Mozilla Thunderbird and I could download email through POP3 service on port 995 without issues, so my question is: Does anyone know how to fix this issue with GMail?

The following is my courier-pop3d-ssl config:

SSLPORT=995
SSLADDRESS=0
SSLPIDFILE=/run/courier/pop3d-ssl.pid
SSLLOGGEROPTS="-name=pop3d-ssl"
POP3DSSLSTART=YES
POP3_STARTTLS=YES
POP3_TLS_REQUIRED=0
COURIERTLS=/usr/bin/couriertls
TLS_STARTTLS_PROTOCOL="$TLS_PROTOCOL"
TLS_CIPHER_LIST="TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
TLS_STARTTLS_PROTOCOL="$TLS_PROTOCOL"
TLS_CERTFILE=/etc/courier/certificates/certificate.pem
TLS_PRIVATE_KEYFILE=/etc/courier/certificates/tls_private_keyfile.pem
TLS_DHPARAMS=/etc/courier/certificates/dhparams.pem
TLS_TRUSTCERTS=/etc/ssl/certs/ca-certificates.crt
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/lib/courier/couriersslimapcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir

Here's some SSL certificates info:

## Letsencrypt CRT + Key cert files
cat /etc/letsencrypt/live/mydomain.com/cert.pem /etc/letsencrypt/live/mydomain.com/privkey.pem >> /etc/courier/certificates/letsencrypt-mydomain_com_crt_key.pem

ls -la /etc/courier/certificates/certificate.pem
lrwxrwxrwx 1 root courier 60 Oct  2 20:24 /etc/courier/certificates/certificate.pem -> /etc/courier/certificates/letsencrypt-mydomain_com_key.pem

ls -la /etc/courier/certificates/tls_private_keyfile.pem
lrwxrwxrwx 1 root courier 47 Oct  1 17:45 /etc/courier/certificates/tls_private_keyfile.pem -> /etc/letsencrypt/live/mydomain.com/privkey.pem

My SSL certificates are generated through Letsencrypt:

ls -la /etc/letsencrypt/live/mydomain.com/
total 12
drwxr-xr-x 2 root root 4096 Oct  2 14:35 .
drwx------ 8 root root 4096 Oct  2 14:35 ..
lrwxrwxrwx 1 root root   37 Oct  2 14:35 cert.pem -> ../../archive/mydomain.com/cert1.pem
lrwxrwxrwx 1 root root   38 Oct  2 14:35 chain.pem -> ../../archive/mydomain.com/chain1.pem
lrwxrwxrwx 1 root root   42 Oct  2 14:35 fullchain.pem -> ../../archive/mydomain.com/fullchain1.pem
lrwxrwxrwx 1 root root   40 Oct  2 14:35 privkey.pem -> ../../archive/mydomain.com/privkey1.pem
-rw-r--r-- 1 root root  692 Oct  2 14:35 README

This is the error I see at /var/log/mail.log when GMail tries to connect through POP3 service on port 995:

Oct  2 21:12:15 we pop3d-ssl: Connection, ip=[::ffff:74.120.14.35]
Oct  2 21:12:16 we pop3d-ssl: ip=[::ffff:74.120.14.35], Unexpected SSL connection shutdown.
Oct  2 21:12:16 we pop3d-ssl: Disconnected, ip=[::ffff:74.120.14.35]

Should I concatenate intermediates and the leaf (server) certificate somewhere? How? In which order?

Thanks in advanced

Solution:

According to courier-mta.org, TLS_CERTFILE is generated including cert and private key both. filename must not be world-readable, and must be accessible without a pass-phrase, i.e. it must not be encrypted.

So to fix the issue i had to concatenate Letsencrypt CRT + CHAIN + KEY in this strict order:

cat /etc/letsencrypt/live/mydomain.com/cert.pem /etc/letsencrypt/live/mydomain.com/chain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem >> /etc/courier/certificates/certificate.pem.mydomain.com
peris
  • 508
  • 2
  • 9
  • 27

1 Answers1

0

TLS_CERTFILE=/etc/courier/certificates/certificate.pem

This file should be a combination of cert.pem and chain.pem - which should be the same as fullchain.pem. While it is not fully clear what you are really doing (there are some mismatches in the file names you use, maybe typos), it looks for like you are combining cert and private key instead.

Steffen Ullrich
  • 13,227
  • 27
  • 39
  • This /etc/courier/certificates/certificate.pem file is a symlink to /etc/courier/certificates/letsencrypt-mydomain_com_crt_key.pem which is generated by cat /etc/letsencrypt/live/mydomain.com/cert.pem /etc/letsencrypt/live/mydomain.com/privkey.pem AFAIK this file needs to be Letsencrypt CRT+Key file, is it wrong? – peris Oct 02 '20 at 19:53
  • Tried replacing /etc/courier/certificates/certificate.pem for another one generated by cat /etc/letsencrypt/live/mydomain.com/cert.pem /etc/letsencrypt/live/mydomain.com/chain.pem >> /etc/courier/certificates/certificate.pem and still got the same error message on GMail plus this time sylpheed through an error telling connection to pop3 failed. Probably, the key is generating certificate.pem by concatenating some letsencrypt cert files in a specified order but i don't know how it must be done. AFAIK CRT+KEY works fine except on GMail, also I thought it was the way to go but I may be wrong. – peris Oct 02 '20 at 20:02
  • @user846226: Did you restart the server after the certificate change? If yes, please check with `openssl s_client -connect yourhost:995` what certificates your server actually returns. Or provide the IP so that others can check. – Steffen Ullrich Oct 02 '20 at 20:07
  • The mail server hosts multiple domains. The main domain is webeloping.es Tests can be done through pop.webeloping.es or mail.webeloping.es and some other domain names. In this case is my syster who needs the POP3 service for her domain annaperis.com so I was trying to add her account to her GMail and the POP3 domain would be pop.annaperis.com I've run the openssl command and it looks good to me, but i may be wrong. – peris Oct 02 '20 at 20:17
  • Tests with `openssl s_client` show that the leaf certificate for `pop.webeloping.es` is provided twice by the server (instead of once) and no other certificates are provided (instead of chain.pem). This suggests that exactly this is the contents of your `TLS_CERTFILE`. So you likely did something wrong when constructing `TLS_CERTFILE`. – Steffen Ullrich Oct 02 '20 at 20:22
  • I'll dig on the issue you're telling me. Thanks for the tip. Also, certificate for pop.annaperis.com seems to be fine but I still get the same error. Do you have any clue about it? thx! :) – peris Oct 02 '20 at 20:41
  • *"certificate for pop.annaperis.com seems to be fine"* - in this case only the leaf certificate is sent (once as expected) but still no chain certificates. – Steffen Ullrich Oct 02 '20 at 20:54
  • pop.annaperis.com is a concatenation of cert.pem and privkey.pem So, should I concat Letsencrypt cert.pem and chain.pem? I'm really confused about how those certs should be concatenated, I've not been able to find reliable documentation about that subject. Thx! :) – peris Oct 02 '20 at 21:22
  • At courier-mta.org is said TLS_CERTFILE is generated including cert and private key both. filename must not be world-readable, and must be accessible without a pass-phrase, i.e. it must not be encrypted. – peris Oct 02 '20 at 21:27
  • @user846226: Yes, as I already said, you need to concat cert and chain. Otherwise the chain is missing - which is exactly what the error description is pointing out. As for the private key: you already specify this key with `TLS_PRIVATE_KEYFILE` and there should be no need to also add it to the cert file. Alternatively you can also add it to the certfile (but also add the chain) and skip `TLS_PRIVATE_KEYFILE`. – Steffen Ullrich Oct 02 '20 at 21:27
  • Thanks, which would be the right order when concatenating? CRT + CHAIN + KEY? Thx! – peris Oct 02 '20 at 21:47
  • @user846226: correct, certificate + chain. Order of key does not really matter though. – Steffen Ullrich Oct 03 '20 at 06:42
  • 1
    Just cat fullchain.pem + key instead of cert.pem + key and you're good, LE already has a file that it recommends using to avoid chain issues. – Ginnungagap Oct 03 '20 at 06:58
  • @Ginnungagap which would be that file? I suppose you're talking about fullchain.pem? Thx. – peris Oct 09 '20 at 17:26
  • Yes unless you have a specific need, you should always refer to `fullchain.pem` by default. – Ginnungagap Oct 11 '20 at 00:41