2

I have set up Let's Encrypt encryption on my server, and thereafter a tutorial to set up a mail server (dovecot and postfix) on the same server (ubuntu server 16.04 with nginx). In the process I also created two email addresses for that domain, that I was hoping to use through the mail client Mail. However, I get the error "unable to verify account name or password", and on http://www.checktls.com/perl/TestReceiver.pl I get the following error:

[001.075] Cert NOT VALIDATED: unable to get local issuer certificate [001.075] this may help: What Is An Intermediate Certificate [001.075] So email is encrypted but the domain is not verified [001.075] ssl : scheme=ldap cert=140396633026752 : identity=mail.mysite.com cn=mysite.com alt=2 mysite.com 2 www.mysite.com [001.075] Cert Hostname DOES NOT VERIFY (mail.mysite.com != mysite.com) [001.076] So email is encrypted but the host is not verified

The whole report:

seconds test stage and result [000.123] Connected to server [000.437] <-- 220 ubuntu-512mb-fra1-01.mysite.com ESMTP Postfix (Ubuntu) [000.437] We are allowed to connect [000.438] --> EHLO checktls.com [000.558] <-- 250-ubuntu-512mb-fra1-01.mysite.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN [000.558] We can use this server [000.559] TLS is an option on this server [000.559] --> STARTTLS [000.679] <-- 220 2.0.0 Ready to start TLS [000.680] STARTTLS command works on this server [000.947] ssl : new ctx 140396633279344 : start handshake : ssl handshake not started : not using SNI because hostname is unknown : set socket to non-blocking to enforce timeout=30 : call Net::SSLeay::connect : done Net::SSLeay::connect -> -1 : ssl handshake in progress : waiting for fd to become ready: SSL wants a read first : socket ready, retrying connect : call Net::SSLeay::connect : ok=0 [0] /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3/CN=mysite.com : ok=0 [0] /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3/CN=mysite.com : ok=0 [0] /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3/CN=mysite.com : done Net::SSLeay::connect -> -1 : ssl handshake in progress : waiting for fd to become ready: SSL wants a read first : socket ready, retrying connect : call Net::SSLeay::connect : done Net::SSLeay::connect -> 1 : ssl handshake done [000.949] SSLVersion in use: TLSv1.2 [000.949] Cipher in use: ECDHE-RSA-AES128-SHA256 [000.950] Connection converted to SSL [000.979] Certificate 1 of 3 in chain: Certificate: Data: Version: 3 (0x2) Serial Number: 03:bf:0b:67:c3:bd:f6:98:ed:66:b4:86:11:5c:44:22:e2:1b Signature Algorithm: sha256WithRSAEncryption Issuer: countryName = US organizationName = Let's Encrypt commonName = Let's Encrypt Authority X3 Validity Not Before: Oct 29 10:33:00 2016 GMT Not After : Jan 27 10:33:00 2017 GMT Subject: commonName = mysite.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:dd:1e:5b:b8:0e:b6:06:f3:b5:8d:55:42:b8:d1: f5:91:fd:74:03:f5:f5:5d:6e:8d:84:47:19:d7:28: 77:3d:47:33:50:bd:70:7a:bf:bf:97:fe:9a:bb:af: 31:71:db:d5:8b:dc:5a:22:11:4a:b9:c0:c7:2c:ba: 22:11:52:3d:f8:35:0b:f3:d8:f5:c5:a3:5d:0f:70: df:d6:02:38:dd:a7:43:22:b2:ae:96:7a:a6:17:de: 70:89:e3:74:16:c6:ee:eb:04:37:99:44:f0:2c:10: 95:21:20:75:f9:b3:c8:d2:4a:c0:04:97:6d:fa:82: 10:a5:e7:9a:37:82:95:99:e3:d4:c2:65:1a:d0:60: ef:18:8a:39:6c:0a:13:9e:00:a4:bd:57:03:55:ea: 11:33:61:29:41:99:32:9b:85:7d:76:b8:b3:99:46: 75:33:bf:de:10:52:ce:32:69:9a:36:3d:8b:5b:d1: 67:ff:66:ef:43:ea:8f:07:77:41:55:f5:f6:ba:6d: e2:8f:4e:04:e4:c7:f1:fe:3b:6c:9c:8c:b2:b5:a8: 24:57:c8:50:eb:37:6c:ea:a4:59:d5:17:dd:31:c3: ee:16:df:a4:3a:56:25:ea:38:3c:ab:d2:7f:2b:73: 7d:2e:d5:ca:ff:b9:e7:d2:d3:18:6b:60:14:f9:e8: 03:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: D9:81:23:A5:47:07:33:95:ED:67:F4:1C:79:48:64:EF:64:93:31:96 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org/ CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:mysite.com, DNS:www.mysite.com X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org User Notice: Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/ Signature Algorithm: sha256WithRSAEncryption 75:54:a8:af:38:1e:79:64:5c:89:b7:43:5f:81:fd:20:cf:83: 41:f4:f3:4c:53:45:5c:4b:4f:52:41:22:59:76:14:eb:41:30: 46:d2:2a:0e:e3:f8:0a:5b:03:fb:a1:77:b5:95:05:b9:cd:2e: 4a:d7:10:c1:d4:5d:fc:92:fa:30:c3:52:e4:35:02:f8:aa:c2: ea:9a:a5:81:9f:1e:82:ae:d4:0f:d1:ff:ab:a2:56:66:3c:7d: 6c:55:87:c3:88:73:03:1a:c3:35:50:0a:7c:5d:c2:e6:fe:85: 80:29:8b:57:a2:42:4f:db:b9:d0:2e:5f:27:fb:11:bb:cf:86: d5:97:17:2d:80:85:11:a1:27:c8:b9:98:fd:3c:a0:6d:d8:b9: 54:28:1c:70:ea:6c:04:bd:01:26:0c:ac:05:7d:0e:8b:cf:30: 10:a3:06:fa:62:86:35:a4:85:bb:c8:bc:c1:d7:b1:24:a4:95: cb:9b:51:88:62:02:42:d0:43:b4:85:59:57:2c:19:4c:29:6c: 56:5b:f5:8d:b2:08:29:05:b1:61:5a:4b:91:dc:d0:51:8b:a8: 31:dc:ee:84:0a:e6:2f:84:eb:8a:f8:db:b7:ba:40:ce:12:5a: af:c3:26:a3:27:d2:c1:d6:48:80:d2:2a:dc:82:70:8c:0e:04: 36:7e:d3:1e -----BEGIN CERTIFICATE----- MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w 39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+ BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B /SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS +jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9 DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+ 0x4= -----END CERTIFICATE----- [001.005] Certificate 2 of 3 in chain: Certificate: Data: Version: 3 (0x2) Serial Number: 03:bf:0b:67:c3:bd:f6:98:ed:66:b4:86:11:5c:44:22:e2:1b Signature Algorithm: sha256WithRSAEncryption Issuer: countryName = US organizationName = Let's Encrypt commonName = Let's Encrypt Authority X3 Validity Not Before: Oct 29 10:33:00 2016 GMT Not After : Jan 27 10:33:00 2017 GMT Subject: commonName = mysite.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:dd:1e:5b:b8:0e:b6:06:f3:b5:8d:55:42:b8:d1: f5:91:fd:74:03:f5:f5:5d:6e:8d:84:47:19:d7:28: 77:3d:47:33:50:bd:70:7a:bf:bf:97:fe:9a:bb:af: 31:71:db:d5:8b:dc:5a:22:11:4a:b9:c0:c7:2c:ba: 22:11:52:3d:f8:35:0b:f3:d8:f5:c5:a3:5d:0f:70: df:d6:02:38:dd:a7:43:22:b2:ae:96:7a:a6:17:de: 70:89:e3:74:16:c6:ee:eb:04:37:99:44:f0:2c:10: 95:21:20:75:f9:b3:c8:d2:4a:c0:04:97:6d:fa:82: 10:a5:e7:9a:37:82:95:99:e3:d4:c2:65:1a:d0:60: ef:18:8a:39:6c:0a:13:9e:00:a4:bd:57:03:55:ea: 11:33:61:29:41:99:32:9b:85:7d:76:b8:b3:99:46: 75:33:bf:de:10:52:ce:32:69:9a:36:3d:8b:5b:d1: 67:ff:66:ef:43:ea:8f:07:77:41:55:f5:f6:ba:6d: e2:8f:4e:04:e4:c7:f1:fe:3b:6c:9c:8c:b2:b5:a8: 24:57:c8:50:eb:37:6c:ea:a4:59:d5:17:dd:31:c3: ee:16:df:a4:3a:56:25:ea:38:3c:ab:d2:7f:2b:73: 7d:2e:d5:ca:ff:b9:e7:d2:d3:18:6b:60:14:f9:e8: 03:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: D9:81:23:A5:47:07:33:95:ED:67:F4:1C:79:48:64:EF:64:93:31:96 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org/ CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:mysite.com, DNS:www.mysite.com X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org User Notice: Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/ Signature Algorithm: sha256WithRSAEncryption 75:54:a8:af:38:1e:79:64:5c:89:b7:43:5f:81:fd:20:cf:83: 41:f4:f3:4c:53:45:5c:4b:4f:52:41:22:59:76:14:eb:41:30: 46:d2:2a:0e:e3:f8:0a:5b:03:fb:a1:77:b5:95:05:b9:cd:2e: 4a:d7:10:c1:d4:5d:fc:92:fa:30:c3:52:e4:35:02:f8:aa:c2: ea:9a:a5:81:9f:1e:82:ae:d4:0f:d1:ff:ab:a2:56:66:3c:7d: 6c:55:87:c3:88:73:03:1a:c3:35:50:0a:7c:5d:c2:e6:fe:85: 80:29:8b:57:a2:42:4f:db:b9:d0:2e:5f:27:fb:11:bb:cf:86: d5:97:17:2d:80:85:11:a1:27:c8:b9:98:fd:3c:a0:6d:d8:b9: 54:28:1c:70:ea:6c:04:bd:01:26:0c:ac:05:7d:0e:8b:cf:30: 10:a3:06:fa:62:86:35:a4:85:bb:c8:bc:c1:d7:b1:24:a4:95: cb:9b:51:88:62:02:42:d0:43:b4:85:59:57:2c:19:4c:29:6c: 56:5b:f5:8d:b2:08:29:05:b1:61:5a:4b:91:dc:d0:51:8b:a8: 31:dc:ee:84:0a:e6:2f:84:eb:8a:f8:db:b7:ba:40:ce:12:5a: af:c3:26:a3:27:d2:c1:d6:48:80:d2:2a:dc:82:70:8c:0e:04: 36:7e:d3:1e -----BEGIN CERTIFICATE----- MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w 39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+ BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B /SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS +jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9 DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+ 0x4= -----END CERTIFICATE----- [001.074] Certificate 3 of 3 in chain: Certificate: Data: Version: 3 (0x2) Serial Number: 03:bf:0b:67:c3:bd:f6:98:ed:66:b4:86:11:5c:44:22:e2:1b Signature Algorithm: sha256WithRSAEncryption Issuer: countryName = US organizationName = Let's Encrypt commonName = Let's Encrypt Authority X3 Validity Not Before: Oct 29 10:33:00 2016 GMT Not After : Jan 27 10:33:00 2017 GMT Subject: commonName = mysite.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:dd:1e:5b:b8:0e:b6:06:f3:b5:8d:55:42:b8:d1: f5:91:fd:74:03:f5:f5:5d:6e:8d:84:47:19:d7:28: 77:3d:47:33:50:bd:70:7a:bf:bf:97:fe:9a:bb:af: 31:71:db:d5:8b:dc:5a:22:11:4a:b9:c0:c7:2c:ba: 22:11:52:3d:f8:35:0b:f3:d8:f5:c5:a3:5d:0f:70: df:d6:02:38:dd:a7:43:22:b2:ae:96:7a:a6:17:de: 70:89:e3:74:16:c6:ee:eb:04:37:99:44:f0:2c:10: 95:21:20:75:f9:b3:c8:d2:4a:c0:04:97:6d:fa:82: 10:a5:e7:9a:37:82:95:99:e3:d4:c2:65:1a:d0:60: ef:18:8a:39:6c:0a:13:9e:00:a4:bd:57:03:55:ea: 11:33:61:29:41:99:32:9b:85:7d:76:b8:b3:99:46: 75:33:bf:de:10:52:ce:32:69:9a:36:3d:8b:5b:d1: 67:ff:66:ef:43:ea:8f:07:77:41:55:f5:f6:ba:6d: e2:8f:4e:04:e4:c7:f1:fe:3b:6c:9c:8c:b2:b5:a8: 24:57:c8:50:eb:37:6c:ea:a4:59:d5:17:dd:31:c3: ee:16:df:a4:3a:56:25:ea:38:3c:ab:d2:7f:2b:73: 7d:2e:d5:ca:ff:b9:e7:d2:d3:18:6b:60:14:f9:e8: 03:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: D9:81:23:A5:47:07:33:95:ED:67:F4:1C:79:48:64:EF:64:93:31:96 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org/ CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:mysite.com, DNS:www.mysite.com X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org User Notice: Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/ Signature Algorithm: sha256WithRSAEncryption 75:54:a8:af:38:1e:79:64:5c:89:b7:43:5f:81:fd:20:cf:83: 41:f4:f3:4c:53:45:5c:4b:4f:52:41:22:59:76:14:eb:41:30: 46:d2:2a:0e:e3:f8:0a:5b:03:fb:a1:77:b5:95:05:b9:cd:2e: 4a:d7:10:c1:d4:5d:fc:92:fa:30:c3:52:e4:35:02:f8:aa:c2: ea:9a:a5:81:9f:1e:82:ae:d4:0f:d1:ff:ab:a2:56:66:3c:7d: 6c:55:87:c3:88:73:03:1a:c3:35:50:0a:7c:5d:c2:e6:fe:85: 80:29:8b:57:a2:42:4f:db:b9:d0:2e:5f:27:fb:11:bb:cf:86: d5:97:17:2d:80:85:11:a1:27:c8:b9:98:fd:3c:a0:6d:d8:b9: 54:28:1c:70:ea:6c:04:bd:01:26:0c:ac:05:7d:0e:8b:cf:30: 10:a3:06:fa:62:86:35:a4:85:bb:c8:bc:c1:d7:b1:24:a4:95: cb:9b:51:88:62:02:42:d0:43:b4:85:59:57:2c:19:4c:29:6c: 56:5b:f5:8d:b2:08:29:05:b1:61:5a:4b:91:dc:d0:51:8b:a8: 31:dc:ee:84:0a:e6:2f:84:eb:8a:f8:db:b7:ba:40:ce:12:5a: af:c3:26:a3:27:d2:c1:d6:48:80:d2:2a:dc:82:70:8c:0e:04: 36:7e:d3:1e -----BEGIN CERTIFICATE----- MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w 39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+ BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B /SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS +jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9 DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+ 0x4= -----END CERTIFICATE----- [001.075] Cert NOT VALIDATED: unable to get local issuer certificate [001.075] this may help: What Is An Intermediate Certificate [001.075] So email is encrypted but the domain is not verified [001.075] ssl : scheme=ldap cert=140396633026752 : identity=mail.mysite.com cn=mysite.com alt=2 mysite.com 2 www.mysite.com [001.075] Cert Hostname DOES NOT VERIFY (mail.mysite.com != mysite.com) [001.076] So email is encrypted but the host is not verified [001.076] ~~> EHLO checktls.com [001.077] ssl write_all VM at entry=vm_unknown at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554. partial `EHLO checktls.com ' at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557. written so far 19:19 bytes (VM=vm_unknown) at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676. [001.197] <~~ 250-ubuntu-512mb-fra1-01.mysite.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN [001.198] TLS successfully started on this server [001.198] ~~> MAIL FROM:<[email protected]> [001.199] ssl write_all VM at entry=vm_unknown at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554. partial `MAIL FROM: ' at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557. written so far 31:31 bytes (VM=vm_unknown) at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676. [001.332] <~~ 250 2.1.0 Ok [001.333] Sender is OK [001.333] ~~> RCPT TO:<[email protected]> [001.335] ssl write_all VM at entry=vm_unknown at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554. partial `RCPT TO: ' at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557. written so far 31:31 bytes (VM=vm_unknown) at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676. [001.470] <~~ 250 2.1.5 Ok [001.471] Recipient OK, E-mail address proofed [001.471] ~~> QUIT [001.473] ssl write_all VM at entry=vm_unknown at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554. partial `QUIT ' at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557. written so far 6:6 bytes (VM=vm_unknown) at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676. [001.592] <~~ 221 2.0.0 Bye [001.595] ssl : free ctx 140396633279344 open=140396633279344 : free ctx 140396633279344 callback

As far as I can tell, the problem is with the implementation of the certificate. What steps can I take to solve this issue?

Improve this question
0

2 Answers 2

Reset to default
2

Looking at

not using SNI because hostname is unknown

after that seeing hostname to which connection is tested to

ubuntu-512mb-fra1-01.mysite.com

and

commonName = mysite.com

and 

**X509v3 Subject Alternative Name: DNS:mysite.com, DNS:www.mysite.com**

.... I noticed : CN and connecting server hostname are different and

Secondly all the certificates in the chain are same

 -----BEGIN CERTIFICATE----- MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w 39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+ BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B /SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS +jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9 DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+ 0x4= -----END CERTIFICATE-----

And that is why the validation is failing.

Improve this answer
6
  • So, if I understand correctly, we're talking about (probably) 2 main problems, right? One being that there are different names stated, and second that the certificates are the same? How would one go about solving those issues? Thank you so much for your time btw. Commented Oct 31, 2016 at 16:42
  • First use the same hostname in certificate CN as the MX entry of your domain(or vice versa), Also you would have got a fullchain.pem from let's encrypt use that instead of this. If you haven't create it by first pasting this certificate in a file then after that pasting let's encrypt certificate root certificate, name it as fullchain.pem and use that. Commented Oct 31, 2016 at 16:47
  • Recommenting for more clarity :Firstly, use the same hostname in certificate CN or Subject Alternate Name(SAN) as the MX record entry of your domain(or do the vice versa i.e. MX record of domain should be equal to CN or SAN on the certificate), Second problem:You would have got a fullchain.pem from let's encrypt use that instead of the current certificate file. If you haven't create it by first pasting this certificate in a file then after that pasting let's encrypt certificate root certificate, name it as fullchain.pem and use that instead of current certificate file. Hope this helps! Commented Oct 31, 2016 at 16:56
  • I get it sending emails now through command, however I can not connect it to an email client.. In Mail on Mac for example, it says, when I've filled out the credentials, that it can't verify the username or password. How come? Commented Oct 31, 2016 at 20:09
  • 1
    All the config you did till now was of postfix which is a MTA. Email clients talk to MDA, So you have to configure MDA which is dovecot for an email client to communicate successfully. And see the logs of that why is it not able to do so right now. Commented Nov 1, 2016 at 1:39
1

My hostname is vegas, and I use LE certs like this:

Request Cert from LE:

/opt/letsencrypt/letsencrypt-auto certonly --agree-tos --email [email protected] --keep-until-expiring --webroot -w /usr/share/nginx/html --rsa-key-size 4096 -d vegas.jacobdevans.com --renew-by-default

Contents of /etc/postfix/main.cf | grep vegas

smtp_tls_cert_file = /etc/letsencrypt/live/vegas.jacobdevans.com/fullchain.pem smtp_tls_key_file = /etc/letsencrypt/live/vegas.jacobdevans.com/privkey.pem

SNI isn't supported in postfix (https only), so I would dedicate a single hostname to your mta or add it to a SANs Cert.

Always use fullchain.pem.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.