ispconfig3.1.7p1 - certificate verification failed for mail.hwg-media.de[ipadd]:25:

Dear Support, hello again
I have a client,
When send an EMAIL from [email protected] to [email protected]
My postfix log says ..
Oct 20 13:18:09 mail postfix/smtp[10977]: certificate verification failed for mail.hwg-media.de[87.138.236.33]:25: untrusted issuer /C=de/L=Neuwied/O=H.W.G Marteking & Werbung/CN=H.W.G Marteking & Werbung WebAdmin CA/emailAddress=[email protected]
Oct 20 13:18:11 mail postfix/smtp[10977]: 467574196: to=<[email protected]>, relay=mail.hwg-media.de[87.138.236.33]:25, delay=3.4, delays=0.1/0/1.7/1.6, dsn=5.0.0, status=bounced (host mail.hwg-media.de[87.138.236.33] said: 550 Administrative prohibition (in reply to end of DATA command))
Here the mail is undeliverd and says
host mail.hwg-media.de[87.138.236.33] said: 550
Administrative prohibition (in reply to end of DATA command)

And in other case, the mail is sent
Oct 20 15:22:56 mail postfix/smtp[32348]: certificate verification failed for mail.hwg-media.de[87.138.236.33]:25: untrusted issuer /C=de/L=Neuwied/O=H.W.G Marteking & Werbung/CN=H.W.G Marteking & Werbung WebAdmin CA/emailAddress=[email protected]
Oct 20 15:22:58 mail postfix/smtp[32348]: 593B6412A: to=<[email protected]>, relay=mail.hwg-media.de[87.138.236.33]:25, delay=3.7, delays=0.06/0/2.4/1.2, dsn=2.0.0, status=sent (250 OK id=1e5Z8T-0005b8-0j)
Note: In some cases the mail is Undelivered and in others is sent.
I'll appeciate your cooperation
Nestor Mazza

 

Thanks,
Nestor Mazza

 

Hello, again
I had red, https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/
I have to some differents situations, one of the is Postfix, at first is most important.
I used on of my testing SERVERS, sofiha-isp.com.ar (my Distro is CentOS 6.9 using ISPConfig 3.1.7p1 updated from ISPConfig 3.0.5 sp8
At first, I did
[Changing ISPConfig 3 Control Panel (Port 8080)], but not working
www.sofiha-isp.com.ar:8080 uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name www.sofiha-isp.com.ar. error Code: SEC_ERROR_UNKNOWN_ISSUER
At the end, I did
[Using The Same Let's Encrypt SSL Certs For Other Major Services]
a. For postfix: (my version in this server is 2.6.6)
b. For dovecot:
Here is my maillog, after send an E-Mail from [email protected] to my personal E-Mail [email protected]Oct 24 00:45:02 mail postfix/smtpd[8884]: warning: TLS library problem: 8884:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
Oct 24 00:45:02 mail postfix/smtpd[8884]: warning: TLS library problem: 8884:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:722:

Oct 24 00:45:02 mail postfix/smtpd[8884]: connect from localhost[::1]
Oct 24 00:45:02 mail postfix/smtpd[8884]: lost connection after CONNECT from localhost[::1]
Oct 24 00:45:02 mail postfix/smtpd[8884]: disconnect from localhost[::1]
Oct 24 00:45:29 mail postfix/smtpd[8884]: warning: 181.166.135.164: hostname 164-135-166-181.fibertel.com.ar verification failed: Name or service not known
Oct 24 00:45:29 mail postfix/smtpd[8884]: connect from unknown[181.166.135.164]
Oct 24 00:45:30 mail postfix/smtpd[8884]: NOQUEUE: filter: RCPT from unknown[181.166.135.164]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.1.8]>
Oct 24 00:45:30 mail postfix/smtpd[8884]: E83F242CE: client=unknown[181.166.135.164], sasl_method=PLAIN, sasl_username=[email protected]
Oct 24 00:45:31 mail postfix/smtpd[8884]: E83F242CE: filter: RCPT from unknown[181.166.135.164]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.1.8]>

Oct 24 00:45:31 mail postfix/cleanup[8902]: E83F242CE: message-id=<20171024.004535.065.27@[192.168.1.8]>
Oct 24 00:45:31 mail opendkim[842]: E83F242CE: DKIM-Signature field added (s=default, d=mail.sofiha-isp.com.ar)
Oct 24 00:45:31 mail opendmarc[880]: implicit authentication service: mail.sofiha-isp.com.ar
Oct 24 00:45:32 mail opendmarc[880]: E83F242CE: SPF(mailfrom): [email protected] fail
( my SPF record for this server is an TXT record with Value v=spf1 ip4:45.79.78.77 -all )
Oct 24 00:45:32 mail opendmarc[880]: E83F242CE: sofiha-isp.com.ar none

Oct 24 00:45:32 mail postfix/qmgr[1014]: E83F242CE: from=<[email protected]>, size=928, nrcpt=2 (queue active)
Oct 24 00:45:32 mail postfix/smtp[8904]: connect to 127.0.0.1[127.0.0.1]:10026: Connection refused
Oct 24 00:45:32 mail postfix/smtp[8904]: E83F242CE: to=<[email protected]>, relay=none, delay=1.6, delays=1.6/0.02/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused)
Oct 24 00:45:32 mail postfix/smtp[8904]: E83F242CE: to=<[email protected]>, relay=none, delay=1.6, delays=1.6/0.02/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused)
Oct 24 00:45:32 mail postfix/smtpd[8884]: disconnect from unknown[181.166.135.164]

Pelase, Please,
I need solve this because my primary server needs send E-Mails to @ferconsult.de not working until solve certificate is not trusted because it is self-signed
NOTE: I you wish, I will send my 'postconf -n' and my /etc/dovecot/dovecot.conf
I'll apprecite your cooperation
Thanks
Nestor Mazza

 

Thanks,
Nestor Mazza

I have solved, doing the following
[Using The Same Let's Encrypt SSL Certs For Other Major Services]
/etc/postfix/main.cf
###smtpd_tls_cert_file = /etc/postfix/smtpd.cert
###smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_cert_file = /etc/letsencrypt/live/sofiha-isp.com.ar/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/sofiha-isp.com.ar/privkey.pem

/etc/dovecot/dovecot.conf
###ssl_cert = </etc/postfix/smtpd.cert
###ssl_key = </etc/postfix/smtpd.key
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
###ssl = required
ssl_cert = </etc/letsencrypt/live/sofiha-isp.com.ar/fullchain.pem
ssl_key = </etc/letsencrypt/live/sofiha-isp.com.ar/privkey.pem
ssl_protocols = !SSLv2 !SSLv3

/etc/amavisd/amavisd.conf
###$inet_socket_port = 10024; # listen on this local TCP port(s)
$inet_socket_port = [10024,10026]; # listen on multiple TCP ports

service amavisd restart
service postfix restart
service dovecot restart

[Changing ISPConfig 3 Control Panel (Port 8080)]
/etc/httpd/conf/sites-enabled/000-ispconfig.vhost
###SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
###SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
SSLCertificateFile /etc/letsencrypt/live/sofiha-isp.com.ar/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sofiha-isp.com.ar/privkey.pem
service httpd restart

but I don't know if I'm in the write way ?
Please let me your opinion,
Thanks
Nestor Mazza

 

Ok, but when I use the symlinks
I receive in the maillog, the following ...
(I have test in other test server, CentOS 7 with
Oct 24 11:30:02 mail postfix/smtpd[19395]: warning: cannot get RSA certificate from file /etc/postfix/smtpd.cert: disabling TLS support
Oct 24 11:30:02 mail postfix/smtpd[19395]: warning: TLS library problem: 19395:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/postfix/smtpd.cert','r'):
Oct 24 11:30:02 mail postfix/smtpd[19395]: warning: TLS library problem: 19395:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
Oct 24 11:30:02 mail postfix/smtpd[19395]: warning: TLS library problem: 19395:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:701:
Oct 24 11:30:02 mail postfix/smtpd[19395]: connect from localhost[::1]
Oct 24 11:30:02 mail postfix/smtpd[19395]: warning: SASL: Connect to private/auth failed: Connection refused
Oct 24 11:30:02 mail postfix/smtpd[19395]: fatal: no SASL authentication mechanisms
Oct 24 11:30:03 mail postfix/master[19257]: warning: process /usr/libexec/postfix/smtpd pid 19395 exit status 1
Oct 24 11:30:03 mail postfix/master[19257]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

Thanks
Nestor Mazza

 

cd /etc/postfix
ls -la smtpd.*
lrwxrwxrwx 1 root root 48 Oct 24 11:29 smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt
-rw-r--r-- 1 root root 2293 Oct 21 19:41 smtpd.cert-171024112848.bak
lrwxrwxrwx 1 root root 48 Oct 24 11:29 smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key
-rw-r----- 1 root root 3272 Oct 21 19:41 smtpd.key-171024112900.bak
cd /usr/local/ispconfig/interface/ssl/
ls -la
total 32
drwxr-x--- 2 root root 4096 Oct 24 11:27 .
drwxr-x--- 9 ispconfig ispconfig 4096 Oct 21 19:43 ..
-rwxr-x--- 1 root root 45 Oct 21 19:43 empty.dir
lrwxrwxrwx 1 root root 60 Oct 24 11:27 ispserver.crt -> /etc/letsencrypt/live/mail.genericodigital.com/fullchain.pem
-rwxr-x--- 1 root root 2293 Oct 21 19:43 ispserver.crt-171024112645.bak
-rwxr-x--- 1 root root 1838 Oct 21 19:43 ispserver.csr
lrwxrwxrwx 1 root root 58 Oct 24 11:27 ispserver.key -> /etc/letsencrypt/live/mail.genericodigital.com/privkey.pem
-rwxr-x--- 1 root root 3243 Oct 21 19:43 ispserver.key-171024112701.bak
-rwxr-x--- 1 root root 3311 Oct 21 19:41 ispserver.key.secure
-rw------- 1 root root 0 Oct 24 11:27 ispserver.pem
I don't have an idea to solve it, I can't see where is wrong, but with symlink, not work for me.
Thanks
Nestor Mazza

 

is Ok, now i modified another SERVER because sofiha-isp.com.ar is working and genericodigital.com not yet
I want solve it over genericodigital.com and then updated sofiha-isp.com.ar
Thanks

 

cat /etc/postfix/smtpd.cert
-----BEGIN CERTIFICATE-----
MIIGbzCCBFegAwIBAgIJAIM/ivsd64S+MA0GCSqGSIb3DQEBCwUAMIHNMQswCQYD
VQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRgwFgYDVQQHDA9DYXBpdGFs
IEZlZGVyYWwxGDAWBgNVBAoMD1NvZmloYSBJbnRlcm5ldDEpMCcGA1UECwwgU29m
aWhhIEludGVybmV0IC0gQ2xvdWQgU2VydmljZXMxITAfBgNVBAMMGG1haWwuZ2Vu
ZXJpY29kaWdpdGFsLmNvbTElMCMGCSqGSIb3DQEJARYWZG9taW5pb3NAc29maWhh
LmNvbS5hcjAeFw0xNzEwMjExOTQxMTBaFw0yNzEwMTkxOTQxMTBaMIHNMQswCQYD
VQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRgwFgYDVQQHDA9DYXBpdGFs
IEZlZGVyYWwxGDAWBgNVBAoMD1NvZmloYSBJbnRlcm5ldDEpMCcGA1UECwwgU29m
aWhhIEludGVybmV0IC0gQ2xvdWQgU2VydmljZXMxITAfBgNVBAMMGG1haWwuZ2Vu
ZXJpY29kaWdpdGFsLmNvbTElMCMGCSqGSIb3DQEJARYWZG9taW5pb3NAc29maWhh
LmNvbS5hcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANTKEHRDPRDy
jBaJ28f+LLkBfgFe6hmedsVIRkMt6RgeO5odkO4KUfkFH4+Gzf5zEBTh1FzXSPID
pmZfQEAfIo2tZObr6oq9PPQ9f1Eng0V4Os6bWj0d+hlZwGZorCaFNrQ8rB//lFZa
DGa36w5H/EtADeiy105jUAb6zoRG81fiHCpP8m9Q2/hZXSyw3/SXTEe9EHXfept0
/Yr2BHJHKAi2cQSUx+MSFheo9frr75yXAWdKOWjXaPhRWlUr8HfAjjVMGXcNedkA
fRwxQ+phMzbPKUEKUiZl8SmMrrZ4BhNMzfmyUfvjwlL6hBbN4Yq0egxu2MUQ0xrN
XgSnIVpDdwkXi/B9e+Ek0IpUVHrVeh/BuUp1IUiwnRz1vifzYxxh+uscsvLuePyr
+x+OTnnaPJgjRv9b03QdrPM71p50eE2kEfrBy+rqI3OMNoSfN6koRcGqgNaJti6B
d/eEUPY57v57TF8bdNxWxdkerSwjA9kFuoEssy5oQW2d+Ns9RsJzb/CrGAEQewMK
1t9vTJurNfRS8ioipCPQL6s5Te1LLwN9jqfpplgWnCzEqXCaP1WpAp6ahE/vvyHu
GjLZA++61Ly1k4NNr3sJLrhSQiCUllkEigjGVQmKgIU8b3IjHIrT9SrCcLicNkEk
zBgUU1jNt+4eTxuDMkYC4lZ2ANgNezyrAgMBAAGjUDBOMB0GA1UdDgQWBBSy3B5F
hXfNWg4gAZ/LYAx2Oy98+DAfBgNVHSMEGDAWgBSy3B5FhXfNWg4gAZ/LYAx2Oy98
+DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCYTUCANr7PQtXp/lrb
qoFF5VIzzc1LVHEnZRRRJ7gPwGMKt+oPzBGqKTzfKznJvSwHVPrv76q9pCyU2vuF
3VTvO4aYgC0BEaRdwcuFemflWTfnX7WF7U/fbszxO1T6kpUOr0DpIoeN7ZpAHQgP
K5+dmuiaJRc6LOBjdsp0TYkgWNtbGFF8EG+zcQpVFVcb9ulHPeU1aOaqqAOfKVMd
MF8+VIJDcf0bIGhNuD6NKdourkfP9ndxg9s6VdZhTt4yuNWeocdiSrjsnDZUVail
bE+ZRs0d0dtL+cSqe4J0CDvon65yT+v7qSUjzBeCBRCv1661vtVuDKaZCfDelIUi
gptzjNIC3d807ahS7RQwlkj/bK0E9122lE0e+KYoLQefhBMSAdJamqywFxffFl9F
HIY16kQJzSmfL9a1jUm3PL0hIULKOPa4jAxJxxm+DnxQsXiJYdnZ189g82NHxZzG
yBtQOEz/54eCrrvUHYYvxphTXSBomI5he43l7anE1NR1ICVu2EceDy6JdMe7g4vs
VuRJkoXPf9l+0iTDqMjA/XemcLw49Jv1AbJ4psJMTRFuNjU6hyhblroWqYdquxzi
UN+/bjCGzNp0+SM3a9B78ikfs+nWRr96XAW9TVQu9/bIHGDQZBHoXNH1DkooCq+d
/qtsVEyiOIoLLVS04HxGz7e5hQ==
-----END CERTIFICATE-----