1

On my server I installed Postfix and Dovecot and Apache2 on Ubuntu.

I bought a SSL certificate and used that to secure the website. This works fine.

Now I want to configure Postfix and Dovecot with the same certificate so that I can use my mail server with SSL too. But when I set it up on my gmail app on the phone, I get this:

Certificate not trusted
Subject: kanzan.se
Issuer: AlphaSSL CA - SHA256 - G2
Valid from: Jul 3, 2018
Expires on: Jul 4, 2019
Current date: Jul 6, 2018
PEM encoded chain: -----BEGIN CERTIFICATE-----
MIIFzTCCBLWgAwIBAgIMdmzZXlCIkPQV/MbvMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgN...

This is my configurations:

/etc/postfix/main.cf:

smtpd_tls_cert_file=/etc/ssl/certs/kanzan_cert_comb.crt
smtpd_tls_key_file=/etc/ssl/private/kanzan_ssl.key
smtpd_use_tls=yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
smtpd_recipient_restrictions = permit_sasl_authenticated
#reject_sender_login_mismatch

/etc/dovecot/conf.d/10-ssl.conf:

ssl = yes
ssl_cert = </etc/ssl/certs/kanzan_cert_comb.crt
ssl_key = </etc/ssl/private/kanzan_ssl.key

/etc/postfix/master.cf:

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

First of all, can I use the same certificate for mail and the website? (same domain). I added a MX record to my DNS which points to this domain, kanzan.se.

Are my configs right?

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
user2908112
  • 157
  • 12

1 Answers1

3

This is an issue with the certificate chain sent with the certificate. You can use the same certificate with Apache2, Postfix and Dovecot. However, the configuration for intermediate certificates is different: Apache has a separate SSLCertificateChainFile directive, while Postfix and Dovecot requires intermediate certificates to be in the same file (smtpd_tls_cert_file / ssl_cert).

Testing your current configuration with openssl s_client -debug -connect, both kanzan.se:465 for SMTPS and kanzan.se:443 for HTTPS shows only one certificate.

Certificate chain
 0 s:/OU=Domain Control Validated/CN=kanzan.se
   i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2

This should show the intermediate certificates too, the full chain to the root CA being:

Certificate chain
  0 s:/OU=Domain Control Validated/CN=kanzan.se
    i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
  1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
    i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
  2 s:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
    i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

To set this up for Postfix and Dovecot (and Apache):

  1. You can get the intermediate certificate from GlobalSign AlphaSSL Intermediate Certificates. You need the one with serial 040000000001444ef03631. 

    /etc/ssl/certs# wget https://secure.globalsign.com/cacert/gsalphasha2g2r1.crt

    The GlobalSign Root CA should be in GlobalSign_Root_CA.pem. You can check the serial:

    /etc/ssl/certs$ openssl x509 -in GlobalSign_Root_CA.pem -serial -noout
serial=040000000001154B5AC394

  2. All the certificates needs to be in ASCII armored PEM format, while the downloaded gsalphasha2g2r1.crt is currently in DER encoded binary format. You need to convert it using:

    openssl x509 -inform DER -in gsalphasha2g2r1.crt -out gsalphasha2g2r1.pem

  3. Combine the certificates as explained in Postfix TLS readme. The order is same for Dovecot.

    cat kanzan_cert_comb.crt gsalphasha2g2r1.pem GlobalSign_Root_CA.pem > postfix.crt

  4. Use these certificates:

    • Postfix: smtpd_tls_cert_file=/etc/ssl/certs/postfix.crt
    • Docevot: ssl_cert = </etc/ssl/certs/postfix.crt
    • Apache, add: SSLCertificateChainFile /etc/ssl/certs/gsalphasha2g2r1.crt
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Thank you very much!! I made exactly these changes, but same thing. I tried openssl and the chain is still just one?? (The last cahnge SSLCertificateChainFile /etc/ssl/certs/gsalphasha2g2r1.crt made the page go down, I used my crt file I created when doing the request for the cert instead) – user2908112 Jul 06 '18 at 10:01
  • That's strange. And you have restarted all these services after modification? Does `cat postfix.crt` show all the three `-----BEGIN CERTIFICATE-----` blocks? – Esa Jokinen Jul 06 '18 at 10:05
  • It looks like this: see UPDATE.. (The middle one is encoded differently) – user2908112 Jul 06 '18 at 10:07
  • I think I made a little mistake here: the intermediate certificate is now in binary format, while it should bee ASCII armored. I'd try to fix this to my answer and let you try again. – Esa Jokinen Jul 06 '18 at 10:15
  • It work!! Thank you again very much! I just copied it instead – user2908112 Jul 06 '18 at 10:24
  • That'd work, too. Now my answer is complete. – Esa Jokinen Jul 06 '18 at 10:27