mail/certificate issues

5 posts / 0 new
Last post
#1 Tue, 04/30/2019 - 22:34
antioch

mail/certificate issues

ubuntu 16.04 webmin 1.902 apache 2.4.18 postfix 3.1.0 dovecot 2.2.22

ive suddenly begun experiencing the strangest certificate issues that have stopped mail delivery for select clients. those clients are getting a name mismatch error with my mail server's certificate.

as per the recommendations found in ur setup guide, ive registered a separate domain, antiochtechnologies.com, for use with wembin. it is NOT connected to the virtual server antiochtech.com. however when i ran mail.antiochtechnologies.com (a san of antiochtechnologies.com) through a certificate checker, it came back with the name mismatch error pointing to amrocks.us, another virtual server i run. when i deleted that virtual server, and re-ran the check, the same error results but now points to antiochtech.com - the alphabetical significance of which did not escape me. but im lost as to what went wrong and how to correct it as no changes, save for the usual software updates, have taken place recently.

Thu, 05/02/2019 - 10:18
atleast
atleast's picture

can you write the specifics that users use like incoming outgoing server name? Also key postfix parameters? The client like outlook may give certificate error and if the virtual domain is used without mail. it can work in most cases. eg. in place of mail.xox.com use xox.com

If you post here your specif of postfix it can be helpful

Fri, 05/03/2019 - 13:55
antioch

attempting to setup the mail account for a test user on my handset produces the following in mail.log after turning on verbose ssl logging in dovecot:

May  3 13:00:26 lamp1 dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [166.175.186.245]
May  3 13:00:26 lamp1 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [166.175.186.245]
May  3 13:00:26 lamp1 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [166.175.186.245]
May  3 13:00:26 lamp1 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: unknown state [166.175.186.245]
May  3 13:00:26 lamp1 dovecot: message repeated 6 times: [ imap-login: Debug: SSL: where=0x2001, ret=1: unknown state [166.175.186.245]]
May  3 13:00:26 lamp1 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: unknown state [166.175.186.245]
May  3 13:00:26 lamp1 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: unknown state [166.175.186.245]
May  3 13:00:26 lamp1 dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=558: fatal certificate unknown [166.175.186.245]
May  3 13:00:26 lamp1 dovecot: imap-login: Warning: SSL failed: where=0x2002: unknown state [166.175.186.245]
May  3 13:00:26 lamp1 dovecot: imap-login: Error: SSL: Stacked error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46
May  3 13:00:26 lamp1 dovecot: imap-login: Debug: SSL error: SSL_accept() failed: Unknown error
May  3 13:00:26 lamp1 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=166.175.186.245, lip=216.235.107.56, TLS handshaking: SSL_accept() failed: Unknown error, session=<NOl8hv+HC2Smr7r1>

yet setting up that same account in thunderbird goes off without a hitch.

Fri, 05/03/2019 - 14:24
scotwnw

Sounds like certificate chain issue. I've run into that where phone would not login but thunderbird or web did fine. Cant recall how I fixed it. Go to ssllabs and check the current certificate. Top section will show "trusted" platforms - "Mozilla Apple Android Java Windows" . Right below that will show if there are any "chain issues".

Fri, 05/03/2019 - 14:32
antioch

no chain issues. antiochtechnologies.com is trusted by all. mail.antiochtechnologies.com (a san of the aforementioned) returns name mismatch with the first virtualserver, alphabetically.