Port 587 is for STARTTLS, port 465 is for TLS.The warning you see is indeed because there is a self signed certificate. You can replace it with a Let's Encrypt certificate following this tutorial: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ Though I did it in a different way to have a different cert for mail then for the panel: - Add website with the hostname of your mailserver to ISPConfig. Check the Let's Encrypt checkbox to acquire a Let's Encrypt certificate. - Add eventual other names for your server (e.g. imap.example.com, smtp.example.com) as aliasdomains of the main domain. - Verify that the certificate is issued for the site - Log in to your server - Run this (replace sitename-in-ispconfig.com with the hostname you used): Code: cd /etc/postfix/ mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak ln -s /etc/letsencrypt/live/sitename-in-ispconfig.com/fullchain.pem smtpd.cert ln -s /etc/letsencrypt/live/sitename-in-ispconfig.com/privkey.pem smtpd.key systemctl restart postfix systemctl restart dovecot Then open a new script: Code: nano /etc/init.d/le_mail_pem.sh Paste this in that file (replace sitename-in-ispconfig.com with the hostname you used): Code: #!/bin/sh ### BEGIN INIT INFO # Provides: LE MAILSERVER CERT AUTO UPDATER # Required-Start: $local_fs $network # Required-Stop: $local_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: LE MAILSERVER CERT AUTO UPDATER # Description: Update mail server cert automatically when a new cert is issued. ### END INIT INFO cd /etc/postfix/ mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak ln -s /etc/letsencrypt/live/sitename-in-ispconfig.com/fullchain.pem smtpd.cert ln -s /etc/letsencrypt/live/sitename-in-ispconfig.com/privkey.pem smtpd.key systemctl restart postfix systemctl restart dovecot Then install incron: Code: apt install incron Make the script executable and allow root to use incron: Code: chmod +x /etc/init.d/le_mail_pem.sh echo "root" >> /etc/incron.allow Open incrontab: Code: incrontab -e Add this: Code: /etc/letsencrypt/archive/sitename-in-ispconfig.com/ IN_MODIFY /etc/init.d/le_mail_pem.sh Credits to @ahrasis for the original code and tutorial. I once had a problem with this, because the main hostname was one of the aliasdomains. You can check this by viewing the cert in your browser or listing the content of /etc/letsencrypt/live to see which of the (alias)domains has a cert there.
I had the same problem here after updating. Windows 7 machines, even updated with Office 2013. Solution was to apply the registry fix that I will leave the URL It forces the use of TLS 1.2 and leaves 1.1 as a fallback and disables 1.0 instead. Download: https://eth1.com.br/softwares/?dir=Windows/TLS
Code: a self signed certificate. You can replace it with a Let's Encrypt certificate My setup is Debian 10 with ISPconfig 3.2 I tried to replace the self signed certificate with a Let's Encrypt certificate, following your instructions, but I have some problems. When I do "chmod +x /etc/init.d/le_ispc_pem.sh" terminal says "kan geen toegang krijgen tot '/etc/init.d/le_ispc_pem.sh': Bestand of map bestaat niet" When i look in init.d/ i only can find "le_mail_pem.sh" . Should I use this? Thanks
Yes, my bad. I changed the name but forgot changing the chmod command. Will edit my command. You're lucky I'm dutch btw, most of the other users don't understand it
Ok thanks, I saw that you were from Amsterdam, so I was lucky you understand the Dutch language I tried this but now my mail is not working anymore. When I check with ssl-tools.net it says " STARTTLS unsupported" Do I have to restart the server?
No, that shouldn't be necessary. Take a look at your logs (/var/log/mail.log and /var/log/syslog) to see if there is a error on startup of postfix / dovecot.
Hereby the output from mail.log after startup postfix Code: warning: TLS library problem: error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:288:fopen('/etc/postfix/smtpd.cert','r'): warning: cannot get RSA certificate from file "/etc/postfix/smtpd.cert": disabling TLS support warning: TLS library problem: error:20074002:BIO routines:file_ctrl:system lib:../crypto/bio/bss_file.c:290: warning: TLS library problem: error:140DC002:SSL routines:use_certificate_chain_file:system lib:../ssl/ssl_rsa.c:615:
The certificate file is missing in /etc/postfix, you can check this with Code: ls /etc/postfix Try running this again: Code: cd /etc/postfix/ mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak ln -s /etc/letsencrypt/live/sitename-in-ispconfig.com/fullchain.pem smtpd.cert ln -s /etc/letsencrypt/live/sitename-in-ispconfig.com/privkey.pem smtpd.key systemctl restart postfix systemctl restart dovecot Replace sitename-in-ispconfig.com with your sitename!
I am sorry but ISPConfig 3.2 uses a different approach so I think it is best to undo and remove LE4ISPC before continuing using this version. Run ISPConfig instructions to update to 3.2 and choose to create SSL certs during that process. If problems are still thereafter, do read and try the faq, https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
Hi my setup is now a fresh Debian 10 with fresh install ISPConfig 3.2 (not a update to 3.2) I tried the code again and it is working now. Probably I was forgotten Replace sitename-in-ispconfig.com with your sitename! So there was a faulty link. See new thread (https://www.howtoforge.com/community/threads/sll-certificate-for-email.85471/) Now the next question, I have 3 different domain's and on the site that deliver the domains i setup for each domain the DNS records. The lets encrypt certificate that is created is only for 1 email domain. Is it possible to do dis for all the 3 different domain names? Now is 1 email with the correct hostname LE, and the other 2 emails with the incorrect hostname LE
For a next question, you should create a new thread when the new question does not deal with the problem in this thread.
HI ... sorry - i am bit confused now with this topic. is there any need to do something within the control-panel with Version 3.2 and above to ensure that all ispconfig-related-services utilize let's encrypt certificates, or is this now done within the upgrade routine? if i need to create anything like sites or domains within the control panel, where is this now described? thx for your feedback |> r
If the error still exists, it may be helpful to replace "dane" in postfix and set to "may". Something like: Code: sed -i -e 's/smtp_tls_security_level = dane/smtp_tls_security_level = may/g' /etc/postfix/main.cf Make a backup first of your main.cf and restart Postfix after editing the file.
You write code by using [ code ] --> code here <-- [ /code ] tag, obviously with no space in the brackets.
Dane is an extra security using dnssec, and not all servers support it. If not configured correctly messages in/out will not be delivered because smtp_tls_security_check fails. If you replace to 'may' the verification is optional and mails would be sent and delivered.