-1

I've had a Ubuntu 14.04 server configured and running fine for some time now. There are web, ftp and mail server installed and functioning properly on it. A week ago the SSL certificate that I had been using to connect to the management console and for mail expired and I went ahead and acquired a new one from StartSSL.

The new certificate is for mail.mydomain.com. The Postfix (main.cf) configuration contains the following:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/mail.crt
smtpd_tls_key_file = /etc/postfix/mail.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = mail.mysite.com
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = mail.mysite.eu, localhost, localhost.localdomain

Dovecot.conf

protocols = imap pop3
auth_mechanisms = plain login
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
postmaster_address = postmaster@saturn13.eu
ssl_cert = </etc/postfix/mail.crt
ssl_key = </etc/postfix/mail.key
ssl_protocols = !SSLv2 !SSLv3

Dovecot/conf.d/10-ssl.conf

ssl = yes
ssl_cert = </etc/postix/mail.crt
ssl_key = </etc/postfix/mail.key

I read that StartSSL requires an intermediate and root CA to be installed, so I tried concatenating them into a mail.pem file which I then proceeded to set in both Postfix and Dovecot. Try as I might, every time I ran openSSL test, the results were like this:

root@server:/etc/dovecot# openssl s_client -connect mail.mysite.com:465
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

What's even more puzzling for me is the fact that when I try to connect to the account with Thunderbird, a popup window appears asking to confirm a security exception for www.mysite.com:443.

So, could you help me figure out what's wrong in this configuration? When I open the mail.crt file in Windows, everything appears normal. So why can't I connect to the server and why is Thunderbird trying to connect to www and on port 443?

Thank you!

zkvvoob
  • 394
  • 1
  • 4
  • 26

1 Answers1

0

with startssl certs you need to wait for one day or ocsp validating will fail.

firefox and thunderbird have ocsp enabled. maybe this was the cause for TB...

for the openssl error, maybe you are using the wrong ciphers? Check here: https://weakdh.org/sysadmin.html

your mail.crt looks like:

-----BEGIN CERTIFICATE-----

..xxx..

-----END CERTIFICATE-----

and your mail.key like

-----BEGIN RSA PRIVATE KEY-----

...xxx...

-----END RSA PRIVATE KEY-----

you don't need to install startssl root cert as it is installed in all browsers... just the intermediate:

for postfix i'm using

smtpd_tls_CAfile = /etc/ssl/private/sub.class1.server.ca.pem

for dovecot

ssl_ca = </etc/ssl/private/sub.class1.server.ca.pem

and apache

SSLCertificateChainFile /etc/ssl/private/sub.class1.server.ca.pem

Jonathan
  • 48
  • 3