2

I have set up Let's Encrypt encryption on my server, and thereafter a tutorial to set up a mail server (dovecot and postfix) on the same server (ubuntu server 16.04 with nginx). In the process I also created two email addresses for that domain, that I was hoping to use through the mail client Mail. However, I get the error "unable to verify account name or password", and on http://www.checktls.com/perl/TestReceiver.pl I get the following error:

[001.075]       Cert NOT VALIDATED: unable to get local issuer certificate
[001.075]       this may help: What Is An Intermediate Certificate
[001.075]       So email is encrypted but the domain is not verified
[001.075]   ssl : scheme=ldap cert=140396633026752
: identity=mail.mysite.com cn=mysite.com alt=2 mysite.com 2 www.mysite.com
[001.075]       Cert Hostname DOES NOT VERIFY (mail.mysite.com != mysite.com)
[001.076]       So email is encrypted but the host is not verified

The whole report:

seconds     test stage and result
[000.123]       Connected to server
[000.437]   <-- 220 ubuntu-512mb-fra1-01.mysite.com ESMTP Postfix (Ubuntu)
[000.437]       We are allowed to connect
[000.438]   --> EHLO checktls.com
[000.558]   <-- 250-ubuntu-512mb-fra1-01.mysite.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[000.558]       We can use this server
[000.559]       TLS is an option on this server
[000.559]   --> STARTTLS
[000.679]   <-- 220 2.0.0 Ready to start TLS
[000.680]       STARTTLS command works on this server
[000.947]   ssl : new ctx 140396633279344
: start handshake
: ssl handshake not started
: not using SNI because hostname is unknown
: set socket to non-blocking to enforce timeout=30
: call Net::SSLeay::connect
: done Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: call Net::SSLeay::connect
: ok=0 [0] /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3/CN=mysite.com
: ok=0 [0] /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3/CN=mysite.com
: ok=0 [0] /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3/CN=mysite.com
: done Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: call Net::SSLeay::connect
: done Net::SSLeay::connect -> 1
: ssl handshake done
[000.949]       SSLVersion in use: TLSv1.2
[000.949]       Cipher in use: ECDHE-RSA-AES128-SHA256
[000.950]       Connection converted to SSL
[000.979]       
Certificate 1 of 3 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      03:bf:0b:67:c3:bd:f6:98:ed:66:b4:86:11:5c:44:22:e2:1b
  Signature Algorithm: sha256WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Let's Encrypt
      commonName        = Let's Encrypt Authority X3
    Validity
      Not Before: Oct 29 10:33:00 2016 GMT
      Not After : Jan 27 10:33:00 2017 GMT
    Subject:
      commonName        = mysite.com
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (2048 bit)
        Modulus:
          00:dd:1e:5b:b8:0e:b6:06:f3:b5:8d:55:42:b8:d1:
          f5:91:fd:74:03:f5:f5:5d:6e:8d:84:47:19:d7:28:
          77:3d:47:33:50:bd:70:7a:bf:bf:97:fe:9a:bb:af:
          31:71:db:d5:8b:dc:5a:22:11:4a:b9:c0:c7:2c:ba:
          22:11:52:3d:f8:35:0b:f3:d8:f5:c5:a3:5d:0f:70:
          df:d6:02:38:dd:a7:43:22:b2:ae:96:7a:a6:17:de:
          70:89:e3:74:16:c6:ee:eb:04:37:99:44:f0:2c:10:
          95:21:20:75:f9:b3:c8:d2:4a:c0:04:97:6d:fa:82:
          10:a5:e7:9a:37:82:95:99:e3:d4:c2:65:1a:d0:60:
          ef:18:8a:39:6c:0a:13:9e:00:a4:bd:57:03:55:ea:
          11:33:61:29:41:99:32:9b:85:7d:76:b8:b3:99:46:
          75:33:bf:de:10:52:ce:32:69:9a:36:3d:8b:5b:d1:
          67:ff:66:ef:43:ea:8f:07:77:41:55:f5:f6:ba:6d:
          e2:8f:4e:04:e4:c7:f1:fe:3b:6c:9c:8c:b2:b5:a8:
          24:57:c8:50:eb:37:6c:ea:a4:59:d5:17:dd:31:c3:
          ee:16:df:a4:3a:56:25:ea:38:3c:ab:d2:7f:2b:73:
          7d:2e:d5:ca:ff:b9:e7:d2:d3:18:6b:60:14:f9:e8:
          03:45
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Subject Key Identifier: 
        D9:81:23:A5:47:07:33:95:ED:67:F4:1C:79:48:64:EF:64:93:31:96
      X509v3 Authority Key Identifier: 
        keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
      Authority Information Access: 
        OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
        CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
      X509v3 Subject Alternative Name: 
        DNS:mysite.com, DNS:www.mysite.com
      X509v3 Certificate Policies: 
        Policy: 2.23.140.1.2.1
        Policy: 1.3.6.1.4.1.44947.1.1.1
          CPS: http://cps.letsencrypt.org
          User Notice:
          Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
  Signature Algorithm: sha256WithRSAEncryption
     75:54:a8:af:38:1e:79:64:5c:89:b7:43:5f:81:fd:20:cf:83:
     41:f4:f3:4c:53:45:5c:4b:4f:52:41:22:59:76:14:eb:41:30:
     46:d2:2a:0e:e3:f8:0a:5b:03:fb:a1:77:b5:95:05:b9:cd:2e:
     4a:d7:10:c1:d4:5d:fc:92:fa:30:c3:52:e4:35:02:f8:aa:c2:
     ea:9a:a5:81:9f:1e:82:ae:d4:0f:d1:ff:ab:a2:56:66:3c:7d:
     6c:55:87:c3:88:73:03:1a:c3:35:50:0a:7c:5d:c2:e6:fe:85:
     80:29:8b:57:a2:42:4f:db:b9:d0:2e:5f:27:fb:11:bb:cf:86:
     d5:97:17:2d:80:85:11:a1:27:c8:b9:98:fd:3c:a0:6d:d8:b9:
     54:28:1c:70:ea:6c:04:bd:01:26:0c:ac:05:7d:0e:8b:cf:30:
     10:a3:06:fa:62:86:35:a4:85:bb:c8:bc:c1:d7:b1:24:a4:95:
     cb:9b:51:88:62:02:42:d0:43:b4:85:59:57:2c:19:4c:29:6c:
     56:5b:f5:8d:b2:08:29:05:b1:61:5a:4b:91:dc:d0:51:8b:a8:
     31:dc:ee:84:0a:e6:2f:84:eb:8a:f8:db:b7:ba:40:ce:12:5a:
     af:c3:26:a3:27:d2:c1:d6:48:80:d2:2a:dc:82:70:8c:0e:04:
     36:7e:d3:1e
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x
NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH
Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w
39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn
mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS
zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk
WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B
/SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS
+jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp
i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9
DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF
sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+
0x4=
-----END CERTIFICATE-----                                                                                                                      
[001.005]       
Certificate 2 of 3 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      03:bf:0b:67:c3:bd:f6:98:ed:66:b4:86:11:5c:44:22:e2:1b
  Signature Algorithm: sha256WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Let's Encrypt
      commonName        = Let's Encrypt Authority X3
    Validity
      Not Before: Oct 29 10:33:00 2016 GMT
      Not After : Jan 27 10:33:00 2017 GMT
    Subject:
      commonName        = mysite.com
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (2048 bit)
        Modulus:
          00:dd:1e:5b:b8:0e:b6:06:f3:b5:8d:55:42:b8:d1:
          f5:91:fd:74:03:f5:f5:5d:6e:8d:84:47:19:d7:28:
          77:3d:47:33:50:bd:70:7a:bf:bf:97:fe:9a:bb:af:
          31:71:db:d5:8b:dc:5a:22:11:4a:b9:c0:c7:2c:ba:
          22:11:52:3d:f8:35:0b:f3:d8:f5:c5:a3:5d:0f:70:
          df:d6:02:38:dd:a7:43:22:b2:ae:96:7a:a6:17:de:
          70:89:e3:74:16:c6:ee:eb:04:37:99:44:f0:2c:10:
          95:21:20:75:f9:b3:c8:d2:4a:c0:04:97:6d:fa:82:
          10:a5:e7:9a:37:82:95:99:e3:d4:c2:65:1a:d0:60:
          ef:18:8a:39:6c:0a:13:9e:00:a4:bd:57:03:55:ea:
          11:33:61:29:41:99:32:9b:85:7d:76:b8:b3:99:46:
          75:33:bf:de:10:52:ce:32:69:9a:36:3d:8b:5b:d1:
          67:ff:66:ef:43:ea:8f:07:77:41:55:f5:f6:ba:6d:
          e2:8f:4e:04:e4:c7:f1:fe:3b:6c:9c:8c:b2:b5:a8:
          24:57:c8:50:eb:37:6c:ea:a4:59:d5:17:dd:31:c3:
          ee:16:df:a4:3a:56:25:ea:38:3c:ab:d2:7f:2b:73:
          7d:2e:d5:ca:ff:b9:e7:d2:d3:18:6b:60:14:f9:e8:
          03:45
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Subject Key Identifier: 
        D9:81:23:A5:47:07:33:95:ED:67:F4:1C:79:48:64:EF:64:93:31:96
      X509v3 Authority Key Identifier: 
        keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
      Authority Information Access: 
        OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
        CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
      X509v3 Subject Alternative Name: 
        DNS:mysite.com, DNS:www.mysite.com
      X509v3 Certificate Policies: 
        Policy: 2.23.140.1.2.1
        Policy: 1.3.6.1.4.1.44947.1.1.1
          CPS: http://cps.letsencrypt.org
          User Notice:
          Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
  Signature Algorithm: sha256WithRSAEncryption
     75:54:a8:af:38:1e:79:64:5c:89:b7:43:5f:81:fd:20:cf:83:
     41:f4:f3:4c:53:45:5c:4b:4f:52:41:22:59:76:14:eb:41:30:
     46:d2:2a:0e:e3:f8:0a:5b:03:fb:a1:77:b5:95:05:b9:cd:2e:
     4a:d7:10:c1:d4:5d:fc:92:fa:30:c3:52:e4:35:02:f8:aa:c2:
     ea:9a:a5:81:9f:1e:82:ae:d4:0f:d1:ff:ab:a2:56:66:3c:7d:
     6c:55:87:c3:88:73:03:1a:c3:35:50:0a:7c:5d:c2:e6:fe:85:
     80:29:8b:57:a2:42:4f:db:b9:d0:2e:5f:27:fb:11:bb:cf:86:
     d5:97:17:2d:80:85:11:a1:27:c8:b9:98:fd:3c:a0:6d:d8:b9:
     54:28:1c:70:ea:6c:04:bd:01:26:0c:ac:05:7d:0e:8b:cf:30:
     10:a3:06:fa:62:86:35:a4:85:bb:c8:bc:c1:d7:b1:24:a4:95:
     cb:9b:51:88:62:02:42:d0:43:b4:85:59:57:2c:19:4c:29:6c:
     56:5b:f5:8d:b2:08:29:05:b1:61:5a:4b:91:dc:d0:51:8b:a8:
     31:dc:ee:84:0a:e6:2f:84:eb:8a:f8:db:b7:ba:40:ce:12:5a:
     af:c3:26:a3:27:d2:c1:d6:48:80:d2:2a:dc:82:70:8c:0e:04:
     36:7e:d3:1e
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x
NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH
Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w
39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn
mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS
zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk
WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B
/SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS
+jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp
i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9
DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF
sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+
0x4=
-----END CERTIFICATE-----                                                                                                                        
[001.074]       
Certificate 3 of 3 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      03:bf:0b:67:c3:bd:f6:98:ed:66:b4:86:11:5c:44:22:e2:1b
  Signature Algorithm: sha256WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Let's Encrypt
      commonName        = Let's Encrypt Authority X3
    Validity
      Not Before: Oct 29 10:33:00 2016 GMT
      Not After : Jan 27 10:33:00 2017 GMT
    Subject:
      commonName        = mysite.com
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (2048 bit)
        Modulus:
          00:dd:1e:5b:b8:0e:b6:06:f3:b5:8d:55:42:b8:d1:
          f5:91:fd:74:03:f5:f5:5d:6e:8d:84:47:19:d7:28:
          77:3d:47:33:50:bd:70:7a:bf:bf:97:fe:9a:bb:af:
          31:71:db:d5:8b:dc:5a:22:11:4a:b9:c0:c7:2c:ba:
          22:11:52:3d:f8:35:0b:f3:d8:f5:c5:a3:5d:0f:70:
          df:d6:02:38:dd:a7:43:22:b2:ae:96:7a:a6:17:de:
          70:89:e3:74:16:c6:ee:eb:04:37:99:44:f0:2c:10:
          95:21:20:75:f9:b3:c8:d2:4a:c0:04:97:6d:fa:82:
          10:a5:e7:9a:37:82:95:99:e3:d4:c2:65:1a:d0:60:
          ef:18:8a:39:6c:0a:13:9e:00:a4:bd:57:03:55:ea:
          11:33:61:29:41:99:32:9b:85:7d:76:b8:b3:99:46:
          75:33:bf:de:10:52:ce:32:69:9a:36:3d:8b:5b:d1:
          67:ff:66:ef:43:ea:8f:07:77:41:55:f5:f6:ba:6d:
          e2:8f:4e:04:e4:c7:f1:fe:3b:6c:9c:8c:b2:b5:a8:
          24:57:c8:50:eb:37:6c:ea:a4:59:d5:17:dd:31:c3:
          ee:16:df:a4:3a:56:25:ea:38:3c:ab:d2:7f:2b:73:
          7d:2e:d5:ca:ff:b9:e7:d2:d3:18:6b:60:14:f9:e8:
          03:45
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Subject Key Identifier: 
        D9:81:23:A5:47:07:33:95:ED:67:F4:1C:79:48:64:EF:64:93:31:96
      X509v3 Authority Key Identifier: 
        keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
      Authority Information Access: 
        OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
        CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
      X509v3 Subject Alternative Name: 
        DNS:mysite.com, DNS:www.mysite.com
      X509v3 Certificate Policies: 
        Policy: 2.23.140.1.2.1
        Policy: 1.3.6.1.4.1.44947.1.1.1
          CPS: http://cps.letsencrypt.org
          User Notice:
          Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
  Signature Algorithm: sha256WithRSAEncryption
     75:54:a8:af:38:1e:79:64:5c:89:b7:43:5f:81:fd:20:cf:83:
     41:f4:f3:4c:53:45:5c:4b:4f:52:41:22:59:76:14:eb:41:30:
     46:d2:2a:0e:e3:f8:0a:5b:03:fb:a1:77:b5:95:05:b9:cd:2e:
     4a:d7:10:c1:d4:5d:fc:92:fa:30:c3:52:e4:35:02:f8:aa:c2:
     ea:9a:a5:81:9f:1e:82:ae:d4:0f:d1:ff:ab:a2:56:66:3c:7d:
     6c:55:87:c3:88:73:03:1a:c3:35:50:0a:7c:5d:c2:e6:fe:85:
     80:29:8b:57:a2:42:4f:db:b9:d0:2e:5f:27:fb:11:bb:cf:86:
     d5:97:17:2d:80:85:11:a1:27:c8:b9:98:fd:3c:a0:6d:d8:b9:
     54:28:1c:70:ea:6c:04:bd:01:26:0c:ac:05:7d:0e:8b:cf:30:
     10:a3:06:fa:62:86:35:a4:85:bb:c8:bc:c1:d7:b1:24:a4:95:
     cb:9b:51:88:62:02:42:d0:43:b4:85:59:57:2c:19:4c:29:6c:
     56:5b:f5:8d:b2:08:29:05:b1:61:5a:4b:91:dc:d0:51:8b:a8:
     31:dc:ee:84:0a:e6:2f:84:eb:8a:f8:db:b7:ba:40:ce:12:5a:
     af:c3:26:a3:27:d2:c1:d6:48:80:d2:2a:dc:82:70:8c:0e:04:
     36:7e:d3:1e
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x
NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH
Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w
39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn
mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS
zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk
WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B
/SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS
+jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp
i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9
DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF
sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+
0x4=
-----END CERTIFICATE-----                                                                                                                          
[001.075]       Cert NOT VALIDATED: unable to get local issuer certificate
[001.075]       this may help: What Is An Intermediate Certificate
[001.075]       So email is encrypted but the domain is not verified
[001.075]   ssl : scheme=ldap cert=140396633026752
: identity=mail.mysite.com cn=mysite.com alt=2 mysite.com 2 www.mysite.com
[001.075]       Cert Hostname DOES NOT VERIFY (mail.mysite.com != mysite.com)
[001.076]       So email is encrypted but the host is not verified
[001.076]   ~~> EHLO checktls.com
[001.077]   ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554.
partial `EHLO checktls.com
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557.
written so far 19:19 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676.
[001.197]   <~~ 250-ubuntu-512mb-fra1-01.mysite.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[001.198]       TLS successfully started on this server
[001.198]   ~~> MAIL FROM:<test@checktls.com>
[001.199]   ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554.
partial `MAIL FROM: 
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557.
written so far 31:31 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676.
[001.332]   <~~ 250 2.1.0 Ok
[001.333]       Sender is OK
[001.333]   ~~> RCPT TO:<myuser@mysite.com>
[001.335]   ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554.
partial `RCPT TO: 
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557.
written so far 31:31 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676.
[001.470]   <~~ 250 2.1.5 Ok
[001.471]       Recipient OK, E-mail address proofed
[001.471]   ~~> QUIT
[001.473]   ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554.
partial `QUIT
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557.
written so far 6:6 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676.
[001.592]   <~~ 221 2.0.0 Bye
[001.595]   ssl : free ctx 140396633279344 open=140396633279344
: free ctx 140396633279344 callback

As far as I can tell, the problem is with the implementation of the certificate. What steps can I take to solve this issue?

user3026192
  • 23
  • 4

2 Answers2

2

Looking at

not using SNI because hostname is unknown

after that seeing hostname to which connection is tested to

ubuntu-512mb-fra1-01.mysite.com

and

commonName = mysite.com

and 

**X509v3 Subject Alternative Name: 
    DNS:mysite.com, DNS:www.mysite.com**

.... I noticed : CN and connecting server hostname are different and

Secondly all the certificates in the chain are same

     -----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x
NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH
Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w
39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn
mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS
zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk
WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B
/SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS
+jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp
i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9
DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF
sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+
0x4=
-----END CERTIFICATE-----

And that is why the validation is failing.

Anirudh Malhotra
  • 1,290
  • 7
  • 11
  • So, if I understand correctly, we're talking about (probably) 2 main problems, right? One being that there are different names stated, and second that the certificates are the same? How would one go about solving those issues? Thank you so much for your time btw. – user3026192 Oct 31 '16 at 16:42
  • First use the same hostname in certificate CN as the MX entry of your domain(or vice versa), Also you would have got a **fullchain.pem** from let's encrypt use that instead of this. If you haven't create it by first pasting this certificate in a file then after that pasting let's encrypt certificate root certificate, name it as fullchain.pem and use that. – Anirudh Malhotra Oct 31 '16 at 16:47
  • **Recommenting for more clarity** :Firstly, use the same hostname in certificate CN or Subject Alternate Name(SAN) as the MX record entry of your domain(or do the vice versa i.e. MX record of domain should be equal to CN or SAN on the certificate), Second problem:You would have got a **fullchain.pem** from let's encrypt use that instead of the current certificate file. If you haven't create it by first pasting this certificate in a file then after that pasting let's encrypt certificate root certificate, name it as fullchain.pem and use that instead of current certificate file. Hope this helps! – Anirudh Malhotra Oct 31 '16 at 16:56
  • I get it sending emails now through command, however I can not connect it to an email client.. In Mail on Mac for example, it says, when I've filled out the credentials, that it can't verify the username or password. How come? – user3026192 Oct 31 '16 at 20:09
  • 1
    All the config you did till now was of postfix which is a MTA. Email clients talk to MDA, So you have to configure MDA which is dovecot for an email client to communicate successfully. And see the logs of that why is it not able to do so right now. – Anirudh Malhotra Nov 01 '16 at 01:39
  • Got it all working it seems. Thank you very much for the help. – user3026192 Nov 01 '16 at 12:10
1

My hostname is vegas, and I use LE certs like this:

Request Cert from LE:

/opt/letsencrypt/letsencrypt-auto certonly --agree-tos --email letsencrypt@jacobdevans.com --keep-until-expiring --webroot -w /usr/share/nginx/html --rsa-key-size 4096 -d vegas.jacobdevans.com --renew-by-default

Contents of /etc/postfix/main.cf | grep vegas

smtp_tls_cert_file = /etc/letsencrypt/live/vegas.jacobdevans.com/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/vegas.jacobdevans.com/privkey.pem

SNI isn't supported in postfix (https only), so I would dedicate a single hostname to your mta or add it to a SANs Cert.

Always use fullchain.pem.

Jacob Evans
  • 7,636
  • 3
  • 25
  • 55