I offer a possible solution to current SMTP issues

My CP had been running smoothly for a while, but a week ago all of the sudden my smtp clients stopped working as well as my laravel app mailer and nextcloud mail. The webmail had no issues. After a week of looking at logs and debugging i’ll sum up some errors i found so others can find this post:

  • warning: TLS library problem: 5029:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
  • Cert VALIDATION ERROR(S): unable to get local issuer certificate
  • verify error:num=21:unable to verify the first certificate
  • Cert VALIDATION ERROR(S): certificate has expired

mail domain com showed a valid cert while connects gave “invalid/expired cert alerts”. I tried to find the invalid cert, to no avail. Though, the errors started when this supposed cert expired. It’s a mistery to me, but i guess it’s cached somewhere?

Amongst possible solutions i tried 6-self-signed-ssl-error-on-outlook-thunderbird
But there are some problems with it pertaining to my issue, so i adjusted some things. I hope it’ll help some of you out there.

SOLUTION:

Step 1:

sudo nano /etc/postfix/main.cf

Step 2: If smtpd_tls_cert/key_file = /etc/pki/dovecot/… DO NOT comment these 2 lines out but replace them with:

smtpd_tls_cert_file = /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem

Step 3: If not already present, add:

smtpd_tls_chain_files = /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem, /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem

Make sure you put it all on 1 line, otherwise you’ll get errors for misconfiguration.

Step 4: In order to support SNI you need to add the following lines at the end

# provide the map to be used when SNI support is enabled 
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map

Step 5: Create a new file in /etc/postfix with the name of vmail_ssl.map

sudo touch /etc/postfix/vmail_ssl.map

Step 6: Edit the file to add your domain’s SSL certificates to the list like this

mail.yourprimarymailserverdomain.com
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem

Step 7 (Optional): If you have more than one domain to be supported add all of them one per line. The resulting file should look like this

# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
# One host per line
mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
mail.yoursecondarymailserverdomain.com /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/fullchain.pem
# add more domains with keys and certs as needed

Step 8: Open /etc/dovecot/dovecot.conf

sudo nano /etc/dovecot/dovecot.conf

Step 9: Append the following to the end of the file, replace ‘domain com’ with your own domain

local_name mail.domain.com {
  ssl_cert = </etc/letsencrypt/live/mail.domain.com/fullchain.pem
  ssl_key = </etc/letsencrypt/live/mail.domain.com/privkey.pem
}

Step 10: Re-compile postmap with SNI using the following command

postmap -F hash:/etc/postfix/vmail_ssl.map

Step 11: Restart Postfix.

systemctl restart postfix

Step 12: Restart Dovecot

systemctl restart dovecot

Connect again using a mail client and you should not see the error.

You may need to also add the ssl manually through the CP as Dsousa instructed on that page.
Apparently I can’t give any links as a new user, sorry about that.

Hopefully the renewal will also succeed. It’s maybe a hacky solution but it worked for me. with:

tail -f /var/log/mail.log

log gave

postfix/smtpd[406524]: warning: Both smtpd_tls_chain_files and one or more of the legacy smtpd_tls_cert_file, smtpd_tls_eccert_file or smtpd_tls_dcert_file are non-empty; the legacy parameters will be ignored

So apparently some parts still use legacy as other parts don’t, i’m guessing…

2 Likes