Server conf: Server: Ubunto 14.04 server, ISP Config 3.04, postfix, Apache/2.4.7 (Ubuntu) Server Task: I would like to make a secure connection via e-mail (SSL, TLS), and FTP for all my clients. Description of the work and problems: I installed (copied from old server) RapidSSL certificate, which works fine on websites. I also configured certificates in main.ch for postfix. # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert (symlink to ispserver.crt) smtpd_tls_key_file = /etc/postfix/smtpd.key (symlink to ispserver.kay) smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/IntermediateCA.crt (Rapid SSL CA; bundle) Works fine with one big problem. OS win X: At every new start of Outlook, users have to confirm every time that certificate is trusted (outlook reports that certificate is untrusted: »With Server. that you are connected, uses a security certificate, which cannot be verified. The main destination name is incorrect?« ) (Only for SSL port enabled), TLS works fine (why TLS works and SSL for pop3 doesn't)? OS Android : works, but I have to choose: SSL (Accept all certificates). If I choose only SSL, it doesn't work. IOS : works, but during the installation of email account I got for several times that the certificate is not verified … I confirmed for several times (2 or 3 times) and now appears that work at iPad. Gmail: when I tried to import pop3 email account into Gmail account, Gmail returns this errors: Secure SSL connection to the host mail.8000plus.si could not be established [Help] The server returned an error: "SSL Error: Unable to verify the first certificate’ Then on: Free SSL Server Test I received next final grade (domain.si, grade): (Domain:443 , C+) (Domain:8080, B) (Doamin:587, 993,995 (TLS,SSL), F) Question? Which command should I entered for SSLCipherSuite, and in particular in which file, because I use ISPconfig? What else should I do to correct this certificates? I look over the forums and google it, but I couldn't find right answer. Any help will be appreciate Thank you and please understand that I am a newcomer to Linux Tomislav Aurednik
I tend to think there's something wrong with the certs. Get thunderbird and check the cert info when it complains. Also yo could use letsencrypt certs. That's what I do nowadays
Do you only have a problem with POP3? You mentioned configuring your web server and postfix, but you also need to configure your pop/imap server (probably dovecot, possibly courier) if you have not. If doing that doesn't resolve everything, can you list the actual hostname you're connecting to? It's sometimes easier to just look at the live server and see what's going on.
Hi, I did configure dovecot. server install hostname: mail.8000plus.si (ISPConfig - > server services) I change this name to 8000plus.si because I have certificate issued to this domain. (www.8000plus.si / 8000plus.si) In main.cf myhostname is still mail.8000plus.si , If I change server name within ISPConfig - > server conf to 8000plus.si my emails doesn't work anymore. I'm pretty sure this has nothing to do with the certificates, but I do not know what else to do.
It looks like you don't have any intermediate certificates sent in pop3/imap. Eg. you can see here that your web server sends both the server certificate (CN=8000plus.si) and an intermediate certificate (CN=RapidSSL SHA256 CA): Code: $ openssl s_client -host 8000plus.si -port 443 -showcerts -CApath /etc/ssl/certs/ CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA verify return:1 depth=0 CN = 8000plus.si verify return:1 --- Certificate chain 0 s:/CN=8000plus.si i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA -----BEGIN CERTIFICATE----- MIIFajCCBFKgAwIBAgIQB4CS+dI9jRQMKLNGyQ6pzDANBgkqhkiG9w0BAQsFADBC <snip> fsBvPWiYbmDiuSLQnrRwMwqBKo4oze5/w7CrmUEeQboIdfgGTbu5F5syNS9Zjg== -----END CERTIFICATE----- 1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA -----BEGIN CERTIFICATE----- MIIETTCCAzWgAwIBAgIDAjpxMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT <snip> Px8G8k/Ll6BKWcZ40egDuYVtLLrhX7atKz4lecWLVtXjCYDqwSfC2Q7sRwrp0Mr8 2A== -----END CERTIFICATE----- --- Server certificate subject=/CN=8000plus.si issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA --- No client certificate CA names sent --- SSL handshake has read 3189 bytes and written 421 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: C2C4796E1FF5F749664DAE8A96BFC9D3FADD1912679E12420489F380C9C9045A Session-ID-ctx: Master-Key: 5C29D658DA12DA1B62FDE37AEBCA1838286B7BC2258449E05382790032111811D4EFE661E7129621889D24BF7C6DA5EE Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 9b 88 b2 f1 a4 35 b1 63-0d e7 0f 43 34 da a3 72 .....5.c...C4..r 0010 - 61 3f 4b 7f 11 86 cf 28-0b 14 2c 19 54 22 bc 39 a?K....(..,.T".9 0020 - a5 87 aa 03 05 54 27 f3-68 5c fa 10 b5 e3 96 08 .....T'.h\...... 0030 - f7 3c b8 d5 75 4d ee 9f-3a 0f fa 31 66 2f b2 5d .<..uM..:..1f/.] 0040 - e4 73 b2 1c 41 01 6d f1-e8 6f 5c e8 db 28 a8 6f .s..A.m..o\..(.o 0050 - e7 0e d9 31 50 47 72 61-06 e8 3e 7c 70 7c 96 cd ...1PGra..>|p|.. 0060 - 5a e6 74 07 bb 3c 19 c8-96 06 2e 9c 61 63 73 ab Z.t..<......acs. 0070 - 68 ff d7 62 10 73 b6 a9-62 ad 83 60 91 b6 eb be h..b.s..b..`.... 0080 - 20 3b 21 e5 1c 67 61 e6-4a 65 f8 9b c2 79 4a 92 ;!..ga.Je...yJ. 0090 - 1f 21 c8 f6 28 ba b5 ab-d1 97 23 8e f8 c6 d0 d5 .!..(.....#..... 00a0 - 7b 5b 89 d7 3d 95 49 96-64 65 cb 94 7d fc aa b3 {[..=.I.de..}... 00b0 - c5 b0 71 38 ed 14 c8 cd-f2 03 df fe c1 16 e8 3f ..q8...........? Start Time: 1463419410 Timeout : 300 (sec) Verify return code: 0 (ok) --- ^C But here you see that your pop3 server only sends the server certificate, with no intermediate: Code: $ openssl s_client -host 8000plus.si -port 110 -starttls pop3 -CApath /etc/ssl/certs/ CONNECTED(00000003) depth=0 CN = 8000plus.si verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = 8000plus.si verify error:num=27:certificate not trusted verify return:1 depth=0 CN = 8000plus.si verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=8000plus.si i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFajCCBFKgAwIBAgIQB4CS+dI9jRQMKLNGyQ6pzDANBgkqhkiG9w0BAQsFADBC <snip> fsBvPWiYbmDiuSLQnrRwMwqBKo4oze5/w7CrmUEeQboIdfgGTbu5F5syNS9Zjg== -----END CERTIFICATE----- subject=/CN=8000plus.si issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA --- No client certificate CA names sent --- SSL handshake has read 2142 bytes and written 459 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 5837A567C2A3800D78F16A192DE427BB18F8891C2C0892BEF1930EF981EEE54B Session-ID-ctx: Master-Key: FC41E2D5C6B116AE68613411B666BA58E85AE9B2637EA8E12124CDB848E8E1F85C47663BBACF918D47B4F0B8B635B76A Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 37 1e aa 6e d7 68 fe c9-ee 0b ce 15 4e 61 84 c6 7..n.h......Na.. 0010 - 43 97 84 c0 2f 00 a3 c3-70 5d 7b 14 0c 1a eb 76 C.../...p]{....v 0020 - ef 5e b8 73 bb 80 e4 6a-80 53 5b 11 23 db 46 13 .^.s...j.S[.#.F. 0030 - 70 65 1a 48 0b be 5b 1a-59 00 0c c1 17 ba 5f b0 pe.H..[.Y....._. 0040 - f0 e5 b9 45 8c 7e fc d4-1b e3 2b 45 d6 02 c2 41 ...E.~....+E...A 0050 - 95 3f fa f9 0d 07 24 02-2f 6c 82 a4 b4 3a 7c 4c .?....$./l...:|L 0060 - ef 36 bb c5 d3 d1 1e 04-54 8d e0 d4 b9 60 02 7d .6......T....`.} 0070 - 07 3b 20 d7 d5 29 79 38-c7 9a 99 06 94 ae 8b ab .; ..)y8........ 0080 - 60 5d 9e 75 4d 04 20 23-3b 05 49 a7 1f 09 58 21 `].uM. #;.I...X! 0090 - e8 75 68 e7 50 d3 f0 5a-44 42 42 19 a4 b4 ad 60 .uh.P..ZDBB....` Start Time: 1463419542 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- +OK Dovecot (Ubuntu) ready. ^C For dovecot you can create a single .pem file that contains your private key, server certificate, and intermediate certificates, and point both ssl_cert and ssl_key to that file. It looks like postfix has the same problem: Code: $ openssl s_client -host 8000plus.si -port 25 -starttls smtp -CApath /etc/ssl/certs/ CONNECTED(00000003) depth=0 CN = 8000plus.si verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = 8000plus.si verify error:num=27:certificate not trusted verify return:1 depth=0 CN = 8000plus.si verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=8000plus.si i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFajCCBFKgAwIBAgIQB4CS+dI9jRQMKLNGyQ6pzDANBgkqhkiG9w0BAQsFADBC <snip> fsBvPWiYbmDiuSLQnrRwMwqBKo4oze5/w7CrmUEeQboIdfgGTbu5F5syNS9Zjg== -----END CERTIFICATE----- subject=/CN=8000plus.si issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA --- No client certificate CA names sent --- SSL handshake has read 2160 bytes and written 456 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 1DCC2330EA79595A72F1735FA7B533233D8F568C6C0A7C6D98AF93684A69688E Session-ID-ctx: Master-Key: CD18A424E36687F1D655BD3146419CA22840E50EFBCA5E69105104F301A66CF59C160BC91062BA3184824B91EB5F6523 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1463419759 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- 250 DSN ^C You can use that same combined .pem file for postfix, just set both smtpd_tls_cert_file and smtpd_tls_key_file the the file location.
First of all, thank you very much for your help. Should I use .pam or I can use .crt as I do now. Ok. I put now CA roots too nto PF in DC: IntermediateCA.crt is my bundle CA cert This works but I everytime in outlook I recieve that cert is untrasted and I have to confirmed? What I'm missing? Or sould I combine all three certificates into pam (how to change the txt file in pam)? dovecot ssl = yes ssl_cert = </usr/local/ispconfig/interface/ssl/ispserver.crt ssl_key = </usr/local/ispconfig/interface/ssl/ispserver.key ssl_ca = </usr/local/ispconfig/interface/ssl/IntermediateCA.crt ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = AES128+EECDH:AES128+EDH ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6 ssl_dh_parameters_length = 4096 # >Dovecot 2.2 ... postfix: smtpd_use_tls=yes smtpd_tls_security_level = may smtpd_tls_auth_only = no #smtpd_tls_cert_file = /etc/postfix/smtpd.cert #smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_cert_file=/usr/local/ispconfig/interface/ssl/ispserver.crt smtpd_tls_key_file=/usr/local/ispconfig/interface/ssl/ispserver.key smtpd_tls_CAfile =/usr/local/ispconfig/interface/ssl/IntermediateCA.crt #smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/8000plus.si.bundle #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/8000plus.si.bundle smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = AES128+EECDH:AES128+EDH ...
Yes, just put your certificate, then the intermediate certificate(s), then the root certificate in a .pem file (as described under 'Chained SSL Certificates' at http://wiki.dovecot.org/SSL/DovecotConfiguration). You can convert .crt to .pem with openssl: Code: openssl x509 -in mycert.crt -out mycert.pem -outform PEM
Hi, It doesn't work warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:649: I tried: I have combined all three certifications in one, and it turned into a .pem file After using the command openssl x509 -in mycert.crt -out mycert.pem -outform PEM .It remained visible in the .txt file alone CA certificate. (I copied kay, Ca and web(root) cert). I tried some other combinations too: k + Ca, w+Ca, ... Needer worked. I used crt and .pem format. mail-server@mail:/etc/dovecot$ openssl s_client -host 8000plus.si -port 587 -starttls smtp -CApath /etc/ssl/certs/ CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA verify return:1 depth=0 CN = 8000plus.si verify return:1 --- Certificate chain 0 s:/CN=8000plus.si i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA 1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFajCCBFKgAwIBAgIQB4CS+dI9jRQMKLNGyQ6pzDANBgkqhkiG9w0BAQsFADBC <snip> fsBvPWiYbmDiuSLQnrRwMwqBKo4oze5/w7CrmUEeQboIdfgGTbu5F5syNS9Zjg== -----END CERTIFICATE----- subject=/CN=8000plus.si issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA --- No client certificate CA names sent --- SSL handshake has read 3224 bytes and written 456 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: BA2DA56C63B15DC82B5396DF0ADFDE7FF1F2B185BC3FFA26EFB7127E85238411 Session-ID-ctx: Master-Key: F18B52CF81219F4EE0275097829E32ED955296552AD4939CDD36511E76D873A119A4DB6AF47B1EDFFC418B8FF57F411B Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1463443718 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 DSN
One more question: Could you please write me the correct order for certificate. I have: 1. cert request file : ispserver.csr 2. server key (private domain cert) file : ispserver.key 3. server web (public domain cert) file: ispserver.crt 4. CA cert (intermediate, bundle cert from RapidSSL): IntermediateCA.crt I don't know how to classify upper (my)) cert into The list below ? my certs are in brackets. Chained SSL certificates Put all the certificates in the ssl_cert file. For example when using a certificate signed by TDC the correct order is: Dovecot's public certificate (ispserver.key) TDC SSL Server CA (ispserver.crt) TDC Internet Root CA (IntermediateCA.crt) Globalsign Partners CA (ispserver.csr)
The .csr is not included in your final .pem file. Convert .crt files to .pem format one at a time, then combine them at the end. The order you quoted there is correct, private key, then server cert, then intermediate CA cert(s), then root CA cert.
After I combine cer : key + public + ca + cert_req.csr I recieved this error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
I follow this: http://www.postfix.org/TLS_README.html#server_tls After I combine cer (all .pem) : public + ca + rootCA I don't understand why I get this: No client certificate CA names sent (in all ports) What else I have to do, that certificates starts working ??? Any help will be appreciated I get for 993 and 995 only this. Ther should be certificate , too? (I have it in dovecot.conf) root@mail:/var/log# openssl s_client -host 8000plus.si -port 993 -starttls pop3 -CApath /etc/ssl/certs/ CONNECTED(00000003) ^C root@mail:/var/log# openssl s_client -host 8000plus.si -port 995 -starttls pop3 -CApath /etc/ssl/certs/ CONNECTED(00000003) port 110 root@mail:/var/log# openssl s_client -host 8000plus.si -port 110 -starttls pop3 -CApath /etc/ssl/certs/ CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA verify return:1 depth=0 CN = 8000plus.si verify return:1 --- Certificate chain 0 s:/CN=8000plus.si i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA 1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3 i:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3 --- Server certificate -----BEGIN CERTIFICATE----- MIIFajCCBFKgAwIBAgIQB4CS+dI9jRQMKLNGyQ6pzDANBgkqhkiG9w0BAQsFADBC ... fsBvPWiYbmDiuSLQnrRwMwqBKo4oze5/w7CrmUEeQboIdfgGTbu5F5syNS9Zjg== -----END CERTIFICATE----- subject=/CN=8000plus.si issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA --- No client certificate CA names sent --- SSL handshake has read 4279 bytes and written 459 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 0A99B728163F426D98D54346019B99D6B601B4347AC25A248DC43DD41019569B Session-ID-ctx: Master-Key: 46461F9BE8719130DDA7FF732311CAA27B1DD6517F36785F190A2850405ECAE10B33DCF5AA1283DC46F3F373009775FD Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 27 94 5a bd 36 07 74 da-e5 20 37 f1 0b fc ab 1e '.Z.6.t.. 7..... 0010 - 10 5a 80 bd 5d 5d 8f 78-a3 4e 1e 86 e8 7d 0d ed .Z..]].x.N...}.. 0020 - d9 03 df d1 2d f6 8e 1e-b4 78 12 70 32 88 b3 c2 ....-....x.p2... 0030 - 21 8f 50 34 8e 90 0d 2e-d9 9e d0 95 a7 a8 27 8e !.P4..........'. 0040 - 1a ab 29 31 92 a7 9c 33-91 76 04 8d 50 64 4d 02 ..)1...3.v..PdM. 0050 - 1c ed 13 ea eb c6 dd 88-a2 b7 a4 39 b3 d4 85 ab ...........9.... 0060 - 4f e8 cc 36 c3 d4 a3 3c-76 8e 3c 1c ed 0d c6 45 O..6...<v.<....E 0070 - 4a 3c 06 17 84 49 7f fe-b4 d5 4d 3f 80 27 fa 7a J<...I....M?.'.z 0080 - 6d 8c f4 d6 08 f1 c0 52-f7 47 c5 23 0c d8 29 1c m......R.G.#..). 0090 - a6 b0 1e 91 1c e7 ff 08-f4 04 c3 94 94 97 91 cd ................ Start Time: 1464356065 Timeout : 300 (sec) Verify return code: 0 (ok) --- +OK Dovecot (Ubuntu) ready. port 587 root@mail:/etc/postfix# openssl s_client -host 8000plus.si -port 587 -starttls smtp -CApath /etc/ssl/certs/ CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA verify return:1 depth=0 CN = 8000plus.si verify return:1 --- Certificate chain 0 s:/CN=8000plus.si i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA 1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3 i:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3 --- Server certificate -----BEGIN CERTIFICATE----- MIIFajCCBFKgAwIBAgIQB4CS+dI9jRQMKLNGyQ6pzDANBgkqhkiG9w0BAQsFADBC ... fsBvPWiYbmDiuSLQnrRwMwqBKo4oze5/w7CrmUEeQboIdfgGTbu5F5syNS9Zjg== -----END CERTIFICATE----- subject=/CN=8000plus.si issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA --- No client certificate CA names sent --- SSL handshake has read 4253 bytes and written 456 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 87D62C335C0BDD7A4D22675B382768D6D4DAF7DA37EA52CDFBFBDC03843AC767 Session-ID-ctx: Master-Key: 1FCEFB0C7EBC859BF81BECC70DF4A81F417BC3BDDC2773060AF0FA6D5FAF1F0B68080E3D038C52FD050383F4171DF224 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1464351054 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 DSN
the two certificate chains you posted (ports 110 and 587) look correct in a glance over them; port 993 and 995 are ssl wrapped (ie. your mail client connects and starts speaking SSL), they don't use a STARTTLS command, so for those try: Code: openssl s_client -host 8000plus.si -port 993 -CApath /etc/ssl/certs/ and Code: openssl s_client -host 8000plus.si -port 995 -CApath /etc/ssl/certs/