Ensure to use the name that is returned by the command "hostname -f" on that server as smtp and pop3/imap server in your mail client to avoid SSL errors during connect. The ISPConfig installer requests a valid SSL cert via LE for this name at install time (unless you did not set up hostname correctly before installing ISPConfig or unless you manually altered the name or SSL cert afterwards).
thank you for your support! I doublechecked all the relevant parameters - in my opinion all is set correctly. But: What I forgot to mention, but is certainly very important: I use the automail-plugin (v1.3) by Florian Schaal for autoconfig. Through this thread I noticed that instead of the certificate of tesoro.xxx.at, the certificate of autoconfig.xxx.at is stored in MUA Thunderbird (I confirmed the exception). Maybe one of you can find a mistake hostname -f: ispconfig: autoconfig/ispconfig: master.cf main.cf https-certificate of tesoro.xxx.at, shown when I use ispconfig: Answer of "wget http://autoconfig.XXXXxxx.at/[email protected] -O test" Code: <?xml version="1.0" encoding="UTF-8"?> <clientConfig version="1.1"> <emailProvider id="tesoro.XXX.at"> <domain>XXXXxxx.at</domain> <displayName>XXXXxxx - SMTP-Server</displayName> <displayShortName>tesoro.XXX.at</displayShortName> <incomingServer type="imap"> <hostname>tesoro.XXXXxxx.at</hostname> <port>143</port> <socketType>STARTTLS</socketType> <authentication>password-cleartext</authentication> <username>%EMAILADDRESS%</username> </incomingServer> <incomingServer type="pop3"> <hostname>tesoro.XXXXxxx.at</hostname> <port>110</port> <socketType>STARTTLS</socketType> <authentication>password-cleartext</authentication> <username>%EMAILADDRESS%</username> </incomingServer> <outgoingServer type="smtp"> <hostname>tesoro.XXXXxxx.at</hostname> <port>587</port> <socketType>STARTTLS</socketType> <authentication>password-cleartext</authentication> <username>%EMAILADDRESS%</username> </outgoingServer> </emailProvider> </clientConfig> Settings of MUA: Certificate stored in MUA: Any ideas where I have to adjust? Thank you!
First, we do not support that plugin and you should have made a new thread as this is probably not related to the thread you posted to. Check which SSL cert /etc/postfix/smtpd.cert contains. As this /etc/postfix/smtpd.cert should be a symlink, you can first check to which file it points: ls -la /etc/postfix/smtpd.cert and if it points to another symlink, then check this as well until you get the 'final' file.
ok At first it looked like it, but only when I looked into the subject more deeply did I notice the differences. Sorry for that. But the problem (wrong certificate) is the same. /etc/postfix/smtpd.cert links to /usr/local/ispconfig/interface/ssl/ispserver.crt Code: > openssl x509 -noout -text -in /etc/postfix/smtpd.cert Certificate: Data: Version: 3 (0x2) Serial Number: 04:8f:a9:52:9c:c8:e2:29:00:ad:ca:30:74:20:c5:13:95:a1 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = R3 Validity Not Before: Mar 18 01:01:09 2022 GMT Not After : Jun 16 01:01:08 2022 GMT Subject: CN = tesoro.xxx.at Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:c3:fb:51:53:e4:01:d3:07:37:e5:7f:b5:9e:1a: 19:15:45:c6:64:a2:cf:b5:13:9f:e9:83:6f:10:34: ---snip--- cb:92:b8:99:a8:11:c3:25:2b:6e:04:40:a4:26:1b: 76:e3:a2:26:70:14:42:d7:3b:2a:68:29:e2:05:55: 54:8e:13:02:57:0c:95:c0:fb:7d:9c:41:c5:6c:e5: 24:d7:91 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 04:D0:D0:81:E6:1A:8E:B6:AF:F7:93:A1:8C:B5:D2:DF:51:3B:11:05 X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:tesoro.xxx.at It seems, that the path of /etc/postfix/smtpd.cert points to the right cert.
I'll move it to a separate thread. If the file is correct, ensure your clients use 'tesoro.xxx.at' as their servername, and that /etc/postfix/smtpd.key is also correct (likely a symlink to /usr/local/ispconfig/interface/ssl/ispserver.key in your case). Maybe confirm "postconf | grep -E '^smtpd_tls_(cert|key)_file'" shows those files in use, and restart postfix.