Author Topic: [Correction Proposal] dovecot SSL: Incomplete certificate chain  (Read 1805 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
CWPpro version: 0.9.8.699

The default setup of dovecot SSL is incomplete and will cause issues with some devices/software when verifying the SSL connection/certificate.

To reproduce:
  • Set the correct hostname of the server and get a free SSL (/admin/index.php?module=change_hostname)
  • Rebuild the mail server with the correct certificate (/admin/index.php?module=postfix_manager)
  • Check your config at https://www.sslshopper.com/ssl-checker.html. Insert hostname:995 and have a look
It will show you a broken certificate chain.

To correct this, open dovecot config file at /etc/dovecot/dovecot.conf and go to the line
Code: [Select]
ssl_cert = </etc/pki/tls/certs/hostname.crtand correct it:
Code: [Select]
ssl_cert = </etc/pki/tls/certs/hostname.bundleThen restart dovecot running the command
Code: [Select]
systemctl restart dovecot
« Last Edit: July 30, 2018, 04:29:36 PM by Felix »

Offline
*
Re: [Correction Proposal] dovecot SSL: Incomplete certificate chain
« Reply #1 on: September 28, 2018, 01:26:47 AM »
thanks, fixed the issue with using pop3 through gmail! need that intermediate cert in the bundle.

Offline
*
Re: [Correction Proposal] dovecot SSL: Incomplete certificate chain
« Reply #2 on: January 15, 2019, 09:04:56 PM »
Your fix also worked for me Felix, thank you! Is there a way to prevent the edited dovecot.conf file from being updated (i.e. lock in the above edit)? Thanks again for your contribution!

Offline
***
Re: [Correction Proposal] dovecot SSL: Incomplete certificate chain
« Reply #3 on: April 27, 2019, 08:32:48 PM »
Wow, thank you so much Felix! I was struggling with this for SOOOO LONG...
Did anyone take this with the developer so it can be fixed permanently?

Offline
*
Felix,
I'm still having issues... I fixed the dovecot.conf file as you said and now the dovecot service starts up just fine.  I also ran an SSL check (https://www.sslshopper.com/ssl-checker.html) and verified my SSL chain is not broken.

However, now when I try to access email using any client (such as Microsoft Outlook) I receive an error that says
Quote
"We couldn't connect to the ongoing (SMTP) server using the specified encryption method.  Please check the outgoing (SMTP) server encryption method and try again."

What other dovecot (or postfix) configuration options am I missing?

Keep in mind my email servers were running perfectly until I installed went to the CWP Panel -> Email -> MailServer Manager, checkmarked the three boxes: "AntiSpam/AntiVirus (recommended)", "rDNS Check (recommended)", and "Install DKIM & SPF (recommended)", then clicked the "Rebuild Mail Server" button.  Whatever the configuration was prior to this worked great (could send/receive email without issue).  Now... I'm just plain frustrated.

I appreciate your help.

Sincerely,
Matt
« Last Edit: June 08, 2019, 07:13:20 PM by MattAF »

Offline
**
Re: [Correction Proposal] dovecot SSL: Incomplete certificate chain
« Reply #5 on: June 10, 2019, 04:13:46 PM »
I have the same problem with this.
I can't use email throw SSL.

Is there plans to fix it ?