My CP had been running smoothly for a while, but a week ago all of the sudden my smtp clients stopped working as well as my laravel app mailer and nextcloud mail. The webmail had no issues. After a week of looking at logs and debugging i’ll sum up some errors i found so others can find this post:
- warning: TLS library problem: 5029:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
- Cert VALIDATION ERROR(S): unable to get local issuer certificate
- verify error:num=21:unable to verify the first certificate
- Cert VALIDATION ERROR(S): certificate has expired
mail domain com showed a valid cert while connects gave “invalid/expired cert alerts”. I tried to find the invalid cert, to no avail. Though, the errors started when this supposed cert expired. It’s a mistery to me, but i guess it’s cached somewhere?
Amongst possible solutions i tried 6-self-signed-ssl-error-on-outlook-thunderbird
But there are some problems with it pertaining to my issue, so i adjusted some things. I hope it’ll help some of you out there.
SOLUTION:
Step 1:
sudo nano /etc/postfix/main.cf
Step 2: If smtpd_tls_cert/key_file = /etc/pki/dovecot/… DO NOT comment these 2 lines out but replace them with:
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem
Step 3: If not already present, add:
smtpd_tls_chain_files = /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem, /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
Make sure you put it all on 1 line, otherwise you’ll get errors for misconfiguration.
Step 4: In order to support SNI you need to add the following lines at the end
# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
Step 5: Create a new file in /etc/postfix with the name of vmail_ssl.map
sudo touch /etc/postfix/vmail_ssl.map
Step 6: Edit the file to add your domain’s SSL certificates to the list like this
mail.yourprimarymailserverdomain.com
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
Step 7 (Optional): If you have more than one domain to be supported add all of them one per line. The resulting file should look like this
# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
# One host per line
mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
mail.yoursecondarymailserverdomain.com /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/fullchain.pem
# add more domains with keys and certs as needed
Step 8: Open /etc/dovecot/dovecot.conf
sudo nano /etc/dovecot/dovecot.conf
Step 9: Append the following to the end of the file, replace ‘domain com’ with your own domain
local_name mail.domain.com {
ssl_cert = </etc/letsencrypt/live/mail.domain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.domain.com/privkey.pem
}
Step 10: Re-compile postmap with SNI using the following command
postmap -F hash:/etc/postfix/vmail_ssl.map
Step 11: Restart Postfix.
systemctl restart postfix
Step 12: Restart Dovecot
systemctl restart dovecot
Connect again using a mail client and you should not see the error.
You may need to also add the ssl manually through the CP as Dsousa instructed on that page.
Apparently I can’t give any links as a new user, sorry about that.
Hopefully the renewal will also succeed. It’s maybe a hacky solution but it worked for me. with:
tail -f /var/log/mail.log
log gave
postfix/smtpd[406524]: warning: Both smtpd_tls_chain_files and one or more of the legacy smtpd_tls_cert_file, smtpd_tls_eccert_file or smtpd_tls_dcert_file are non-empty; the legacy parameters will be ignored
So apparently some parts still use legacy as other parts don’t, i’m guessing…