Ubunto mail SSL certificate problem

Discussion in 'Installation/Configuration' started by Tomislav Aurednik, May 9, 2016.

  1. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    Server conf: Server: Ubunto 14.04 server, ISP Config 3.04, postfix, Apache/2.4.7 (Ubuntu) Server

    Task: I would like to make a secure connection via e-mail (SSL, TLS), and FTP for all my clients.

    Description of the work and problems:

    I installed (copied from old server) RapidSSL certificate, which works fine on websites.

    I also configured certificates in main.ch for postfix.

    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert (symlink to ispserver.crt)
    smtpd_tls_key_file = /etc/postfix/smtpd.key (symlink to ispserver.kay)
    smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/IntermediateCA.crt (Rapid SSL CA; bundle)

    Works fine with one big problem.

    OS win X: At every new start of Outlook, users have to confirm every time that certificate is trusted (outlook reports that certificate is untrusted: »With Server. that you are connected, uses a security certificate, which cannot be verified. The main destination name is incorrect?« ) (Only for SSL port enabled), TLS works fine (why TLS works and SSL for pop3 doesn't)?

    OS Android : works, but I have to choose: SSL (Accept all certificates). If I choose only SSL, it doesn't work.


    IOS : works, but during the installation of email account I got for several times that the certificate is not verified … I confirmed for several times (2 or 3 times) and now appears that work at iPad.


    Gmail: when I tried to import pop3 email account into Gmail account, Gmail returns this errors:

    Secure SSL connection to the host mail.8000plus.si could not be established [Help]

    The server returned an error: "SSL Error: Unable to verify the first certificate’


    Then on: Free SSL Server Test I received next final grade (domain.si, grade):
    (Domain:443 , C+)

    (Domain:8080, B)

    (Doamin:587, 993,995 (TLS,SSL), F)

    Question?

    Which command should I entered for SSLCipherSuite, and in particular in which file, because I use ISPconfig?

    What else should I do to correct this certificates? I look over the forums and google it, but I couldn't find right answer.


    Any help will be appreciate


    Thank you and please understand that I am a newcomer to Linux

    Tomislav Aurednik
     
  2. sjau

    sjau Local Meanie Moderator

    I tend to think there's something wrong with the certs. Get thunderbird and check the cert info when it complains. Also yo could use letsencrypt certs. That's what I do nowadays
     
  3. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    I also have some problem with TLS? Why my cert is untrusted?
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Do you only have a problem with POP3? You mentioned configuring your web server and postfix, but you also need to configure your pop/imap server (probably dovecot, possibly courier) if you have not.

    If doing that doesn't resolve everything, can you list the actual hostname you're connecting to? It's sometimes easier to just look at the live server and see what's going on.
     
  5. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    Hi,
    I did configure dovecot.
    server install hostname: mail.8000plus.si (ISPConfig - > server services)
    I change this name to 8000plus.si because I have certificate issued to this domain. (www.8000plus.si / 8000plus.si)
    In main.cf myhostname is still mail.8000plus.si , If I change server name within ISPConfig - > server conf to 8000plus.si my emails doesn't work anymore. I'm pretty sure this has nothing to do with the certificates, but I do not know what else to do.
     
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    It looks like you don't have any intermediate certificates sent in pop3/imap. Eg. you can see here that your web server sends both the server certificate (CN=8000plus.si) and an intermediate certificate (CN=RapidSSL SHA256 CA):

    Code:
    $ openssl s_client -host 8000plus.si -port 443 -showcerts -CApath /etc/ssl/certs/
    CONNECTED(00000003)
    depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
    verify return:1
    depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA
    verify return:1
    depth=0 CN = 8000plus.si
    verify return:1
    ---
    Certificate chain
    0 s:/CN=8000plus.si
       i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    -----BEGIN CERTIFICATE-----
    MIIFajCCBFKgAwIBAgIQB4CS+dI9jRQMKLNGyQ6pzDANBgkqhkiG9w0BAQsFADBC
    <snip>
    fsBvPWiYbmDiuSLQnrRwMwqBKo4oze5/w7CrmUEeQboIdfgGTbu5F5syNS9Zjg==
    -----END CERTIFICATE-----
    1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
       i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    -----BEGIN CERTIFICATE-----
    MIIETTCCAzWgAwIBAgIDAjpxMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
    <snip>
    Px8G8k/Ll6BKWcZ40egDuYVtLLrhX7atKz4lecWLVtXjCYDqwSfC2Q7sRwrp0Mr8
    2A==
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/CN=8000plus.si
    issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 3189 bytes and written 421 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-GCM-SHA384
        Session-ID: C2C4796E1FF5F749664DAE8A96BFC9D3FADD1912679E12420489F380C9C9045A
        Session-ID-ctx:
        Master-Key: 5C29D658DA12DA1B62FDE37AEBCA1838286B7BC2258449E05382790032111811D4EFE661E7129621889D24BF7C6DA5EE
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 9b 88 b2 f1 a4 35 b1 63-0d e7 0f 43 34 da a3 72   .....5.c...C4..r
        0010 - 61 3f 4b 7f 11 86 cf 28-0b 14 2c 19 54 22 bc 39   a?K....(..,.T".9
        0020 - a5 87 aa 03 05 54 27 f3-68 5c fa 10 b5 e3 96 08   .....T'.h\......
        0030 - f7 3c b8 d5 75 4d ee 9f-3a 0f fa 31 66 2f b2 5d   .<..uM..:..1f/.]
        0040 - e4 73 b2 1c 41 01 6d f1-e8 6f 5c e8 db 28 a8 6f   .s..A.m..o\..(.o
        0050 - e7 0e d9 31 50 47 72 61-06 e8 3e 7c 70 7c 96 cd   ...1PGra..>|p|..
        0060 - 5a e6 74 07 bb 3c 19 c8-96 06 2e 9c 61 63 73 ab   Z.t..<......acs.
        0070 - 68 ff d7 62 10 73 b6 a9-62 ad 83 60 91 b6 eb be   h..b.s..b..`....
        0080 - 20 3b 21 e5 1c 67 61 e6-4a 65 f8 9b c2 79 4a 92    ;!..ga.Je...yJ.
        0090 - 1f 21 c8 f6 28 ba b5 ab-d1 97 23 8e f8 c6 d0 d5   .!..(.....#.....
        00a0 - 7b 5b 89 d7 3d 95 49 96-64 65 cb 94 7d fc aa b3   {[..=.I.de..}...
        00b0 - c5 b0 71 38 ed 14 c8 cd-f2 03 df fe c1 16 e8 3f   ..q8...........?
    
        Start Time: 1463419410
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    ^C
    
    But here you see that your pop3 server only sends the server certificate, with no intermediate:

    Code:
    $ openssl s_client -host 8000plus.si -port 110 -starttls pop3 -CApath /etc/ssl/certs/
    CONNECTED(00000003)
    depth=0 CN = 8000plus.si
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 CN = 8000plus.si
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 CN = 8000plus.si
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
    0 s:/CN=8000plus.si
       i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIFajCCBFKgAwIBAgIQB4CS+dI9jRQMKLNGyQ6pzDANBgkqhkiG9w0BAQsFADBC
    <snip>
    fsBvPWiYbmDiuSLQnrRwMwqBKo4oze5/w7CrmUEeQboIdfgGTbu5F5syNS9Zjg==
    -----END CERTIFICATE-----
    subject=/CN=8000plus.si
    issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 2142 bytes and written 459 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 5837A567C2A3800D78F16A192DE427BB18F8891C2C0892BEF1930EF981EEE54B
        Session-ID-ctx:
        Master-Key: FC41E2D5C6B116AE68613411B666BA58E85AE9B2637EA8E12124CDB848E8E1F85C47663BBACF918D47B4F0B8B635B76A
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 37 1e aa 6e d7 68 fe c9-ee 0b ce 15 4e 61 84 c6   7..n.h......Na..
        0010 - 43 97 84 c0 2f 00 a3 c3-70 5d 7b 14 0c 1a eb 76   C.../...p]{....v
        0020 - ef 5e b8 73 bb 80 e4 6a-80 53 5b 11 23 db 46 13   .^.s...j.S[.#.F.
        0030 - 70 65 1a 48 0b be 5b 1a-59 00 0c c1 17 ba 5f b0   pe.H..[.Y....._.
        0040 - f0 e5 b9 45 8c 7e fc d4-1b e3 2b 45 d6 02 c2 41   ...E.~....+E...A
        0050 - 95 3f fa f9 0d 07 24 02-2f 6c 82 a4 b4 3a 7c 4c   .?....$./l...:|L
        0060 - ef 36 bb c5 d3 d1 1e 04-54 8d e0 d4 b9 60 02 7d   .6......T....`.}
        0070 - 07 3b 20 d7 d5 29 79 38-c7 9a 99 06 94 ae 8b ab   .; ..)y8........
        0080 - 60 5d 9e 75 4d 04 20 23-3b 05 49 a7 1f 09 58 21   `].uM. #;.I...X!
        0090 - e8 75 68 e7 50 d3 f0 5a-44 42 42 19 a4 b4 ad 60   .uh.P..ZDBB....`
    
        Start Time: 1463419542
        Timeout   : 300 (sec)
        Verify return code: 21 (unable to verify the first certificate)
    ---
    +OK Dovecot (Ubuntu) ready.
    ^C
    
    For dovecot you can create a single .pem file that contains your private key, server certificate, and intermediate certificates, and point both ssl_cert and ssl_key to that file.

    It looks like postfix has the same problem:

    Code:
    $ openssl s_client -host 8000plus.si -port 25 -starttls smtp -CApath /etc/ssl/certs/
    CONNECTED(00000003)
    depth=0 CN = 8000plus.si
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 CN = 8000plus.si
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 CN = 8000plus.si
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
    0 s:/CN=8000plus.si
       i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIFajCCBFKgAwIBAgIQB4CS+dI9jRQMKLNGyQ6pzDANBgkqhkiG9w0BAQsFADBC
    <snip>
    fsBvPWiYbmDiuSLQnrRwMwqBKo4oze5/w7CrmUEeQboIdfgGTbu5F5syNS9Zjg==
    -----END CERTIFICATE-----
    subject=/CN=8000plus.si
    issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 2160 bytes and written 456 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-GCM-SHA384
        Session-ID: 1DCC2330EA79595A72F1735FA7B533233D8F568C6C0A7C6D98AF93684A69688E
        Session-ID-ctx:
        Master-Key: CD18A424E36687F1D655BD3146419CA22840E50EFBCA5E69105104F301A66CF59C160BC91062BA3184824B91EB5F6523
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1463419759
        Timeout   : 300 (sec)
        Verify return code: 21 (unable to verify the first certificate)
    ---
    250 DSN
    ^C
    
    You can use that same combined .pem file for postfix, just set both smtpd_tls_cert_file and smtpd_tls_key_file the the file location.
     
    Tomislav Aurednik likes this.
  7. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    First of all, thank you very much for your help.
    Should I use .pam or I can use .crt as I do now.
    Ok. I put now CA roots too nto PF in DC: IntermediateCA.crt is my bundle CA cert
    This works but I everytime in outlook I recieve that cert is untrasted and I have to confirmed? What I'm missing?
    Or sould I combine all three certificates into pam (how to change the txt file in pam)?

    dovecot
    ssl = yes
    ssl_cert = </usr/local/ispconfig/interface/ssl/ispserver.crt
    ssl_key = </usr/local/ispconfig/interface/ssl/ispserver.key
    ssl_ca = </usr/local/ispconfig/interface/ssl/IntermediateCA.crt
    ssl_protocols = !SSLv2 !SSLv3
    ssl_cipher_list = AES128+EECDH:AES128+EDH
    ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6
    ssl_dh_parameters_length = 4096 # >Dovecot 2.2
    ...

    postfix:
    smtpd_use_tls=yes
    smtpd_tls_security_level = may
    smtpd_tls_auth_only = no
    #smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    #smtpd_tls_key_file = /etc/postfix/smtpd.key

    smtpd_tls_cert_file=/usr/local/ispconfig/interface/ssl/ispserver.crt
    smtpd_tls_key_file=/usr/local/ispconfig/interface/ssl/ispserver.key
    smtpd_tls_CAfile =/usr/local/ispconfig/interface/ssl/IntermediateCA.crt

    #smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/8000plus.si.bundle
    #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/8000plus.si.bundle

    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
    smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
    smtpd_tls_mandatory_ciphers = medium
    tls_medium_cipherlist = AES128+EECDH:AES128+EDH
    ...
     
  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Yes, just put your certificate, then the intermediate certificate(s), then the root certificate in a .pem file (as described under 'Chained SSL Certificates' at http://wiki.dovecot.org/SSL/DovecotConfiguration). You can convert .crt to .pem with openssl:
    Code:
    openssl x509 -in mycert.crt -out mycert.pem -outform PEM
     
  9. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    Hi,
    It doesn't work
    warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:649:

    I tried:
    I have combined all three certifications in one, and it turned into a .pem file After using the command openssl x509 -in mycert.crt -out mycert.pem -outform PEM .It remained visible in the .txt file alone CA certificate. (I copied kay, Ca and web(root) cert).
    I tried some other combinations too: k + Ca, w+Ca, ... Needer worked. I used crt and .pem format.

    mail-server@mail:/etc/dovecot$ openssl s_client -host 8000plus.si -port 587 -starttls smtp -CApath /etc/ssl/certs/
    CONNECTED(00000003)
    depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
    verify return:1
    depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA
    verify return:1
    depth=0 CN = 8000plus.si
    verify return:1
    ---
    Certificate chain
    0 s:/CN=8000plus.si
    i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIFajCCBFKgAwIBAgIQB4CS+dI9jRQMKLNGyQ6pzDANBgkqhkiG9w0BAQsFADBC
    <snip>
    fsBvPWiYbmDiuSLQnrRwMwqBKo4oze5/w7CrmUEeQboIdfgGTbu5F5syNS9Zjg==
    -----END CERTIFICATE-----
    subject=/CN=8000plus.si
    issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 3224 bytes and written 456 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: BA2DA56C63B15DC82B5396DF0ADFDE7FF1F2B185BC3FFA26EFB7127E85238411
    Session-ID-ctx:
    Master-Key: F18B52CF81219F4EE0275097829E32ED955296552AD4939CDD36511E76D873A119A4DB6AF47B1EDFFC418B8FF57F411B
    Key-Arg : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1463443718
    Timeout : 300 (sec)
    Verify return code: 0 (ok)
    ---
    250 DSN
     
  10. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    One more question:
    Could you please write me the correct order for certificate. I have:
    1. cert request file : ispserver.csr
    2. server key (private domain cert) file : ispserver.key
    3. server web (public domain cert) file: ispserver.crt
    4. CA cert (intermediate, bundle cert from RapidSSL): IntermediateCA.crt

    I don't know how to classify upper (my)) cert into The list below ? my certs are in brackets.

    Chained SSL certificates
    Put all the certificates in the ssl_cert file. For example when using a certificate signed by TDC the correct order is:
    1. Dovecot's public certificate (ispserver.key)
    2. TDC SSL Server CA (ispserver.crt)
    3. TDC Internet Root CA (IntermediateCA.crt)
    4. Globalsign Partners CA (ispserver.csr)
     
  11. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    The .csr is not included in your final .pem file. Convert .crt files to .pem format one at a time, then combine them at the end. The order you quoted there is correct, private key, then server cert, then intermediate CA cert(s), then root CA cert.
     
  12. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    After I combine cer : key + public + ca + cert_req.csr I recieved this error:
    error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
     
  13. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    I follow this: http://www.postfix.org/TLS_README.html#server_tls
    After I combine cer (all .pem) : public + ca + rootCA
    I don't understand why I get this: No client certificate CA names sent (in all ports)
    What else I have to do, that certificates starts working ???
    Any help will be appreciated

    I get for 993 and 995 only this. Ther should be certificate , too? (I have it in dovecot.conf)
    root@mail:/var/log# openssl s_client -host 8000plus.si -port 993 -starttls pop3 -CApath /etc/ssl/certs/
    CONNECTED(00000003)
    ^C
    root@mail:/var/log# openssl s_client -host 8000plus.si -port 995 -starttls pop3 -CApath /etc/ssl/certs/
    CONNECTED(00000003)

    port 110
    root@mail:/var/log# openssl s_client -host 8000plus.si -port 110 -starttls pop3 -CApath /etc/ssl/certs/
    CONNECTED(00000003)
    depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
    verify return:1
    depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA
    verify return:1
    depth=0 CN = 8000plus.si
    verify return:1
    ---
    Certificate chain
    0 s:/CN=8000plus.si
    i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    2 s:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3
    i:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIFajCCBFKgAwIBAgIQB4CS+dI9jRQMKLNGyQ6pzDANBgkqhkiG9w0BAQsFADBC
    ...
    fsBvPWiYbmDiuSLQnrRwMwqBKo4oze5/w7CrmUEeQboIdfgGTbu5F5syNS9Zjg==
    -----END CERTIFICATE-----
    subject=/CN=8000plus.si
    issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 4279 bytes and written 459 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 0A99B728163F426D98D54346019B99D6B601B4347AC25A248DC43DD41019569B
    Session-ID-ctx:
    Master-Key: 46461F9BE8719130DDA7FF732311CAA27B1DD6517F36785F190A2850405ECAE10B33DCF5AA1283DC46F3F373009775FD
    Key-Arg : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 27 94 5a bd 36 07 74 da-e5 20 37 f1 0b fc ab 1e '.Z.6.t.. 7.....
    0010 - 10 5a 80 bd 5d 5d 8f 78-a3 4e 1e 86 e8 7d 0d ed .Z..]].x.N...}..
    0020 - d9 03 df d1 2d f6 8e 1e-b4 78 12 70 32 88 b3 c2 ....-....x.p2...
    0030 - 21 8f 50 34 8e 90 0d 2e-d9 9e d0 95 a7 a8 27 8e !.P4..........'.
    0040 - 1a ab 29 31 92 a7 9c 33-91 76 04 8d 50 64 4d 02 ..)1...3.v..PdM.
    0050 - 1c ed 13 ea eb c6 dd 88-a2 b7 a4 39 b3 d4 85 ab ...........9....
    0060 - 4f e8 cc 36 c3 d4 a3 3c-76 8e 3c 1c ed 0d c6 45 O..6...<v.<....E
    0070 - 4a 3c 06 17 84 49 7f fe-b4 d5 4d 3f 80 27 fa 7a J<...I....M?.'.z
    0080 - 6d 8c f4 d6 08 f1 c0 52-f7 47 c5 23 0c d8 29 1c m......R.G.#..).
    0090 - a6 b0 1e 91 1c e7 ff 08-f4 04 c3 94 94 97 91 cd ................

    Start Time: 1464356065
    Timeout : 300 (sec)
    Verify return code: 0 (ok)
    ---
    +OK Dovecot (Ubuntu) ready.


    port 587
    root@mail:/etc/postfix# openssl s_client -host 8000plus.si -port 587 -starttls smtp -CApath /etc/ssl/certs/
    CONNECTED(00000003)
    depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
    verify return:1
    depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA
    verify return:1
    depth=0 CN = 8000plus.si
    verify return:1
    ---
    Certificate chain
    0 s:/CN=8000plus.si
    i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    2 s:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3
    i:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIFajCCBFKgAwIBAgIQB4CS+dI9jRQMKLNGyQ6pzDANBgkqhkiG9w0BAQsFADBC
    ...
    fsBvPWiYbmDiuSLQnrRwMwqBKo4oze5/w7CrmUEeQboIdfgGTbu5F5syNS9Zjg==
    -----END CERTIFICATE-----
    subject=/CN=8000plus.si
    issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 4253 bytes and written 456 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 87D62C335C0BDD7A4D22675B382768D6D4DAF7DA37EA52CDFBFBDC03843AC767
    Session-ID-ctx:
    Master-Key: 1FCEFB0C7EBC859BF81BECC70DF4A81F417BC3BDDC2773060AF0FA6D5FAF1F0B68080E3D038C52FD050383F4171DF224
    Key-Arg : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1464351054
    Timeout : 300 (sec)
    Verify return code: 0 (ok)
    ---
    250 DSN
     
  14. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    the two certificate chains you posted (ports 110 and 587) look correct in a glance over them; port 993 and 995 are ssl wrapped (ie. your mail client connects and starts speaking SSL), they don't use a STARTTLS command, so for those try:
    Code:
    openssl s_client -host 8000plus.si -port 993 -CApath /etc/ssl/certs/
    and
    Code:
    openssl s_client -host 8000plus.si -port 995 -CApath /etc/ssl/certs/
     

Share This Page