How to replicate the bug:
Virtualmin -> server.example.com -> Server Configuration -> Manage SSL Certificate -> Let's Encrypt -> Request Certificate
Virtualmin -> server.example.com -> Server Configuration -> Manage SSL Certificate -> Current Certificate -> Copy to Postfix
Copying certificate and key to Postfix files ..
.. wrote out certificate in /etc/postfix/postfix.cert.pem and key in /etc/postfix/postfix.key.pem
Enabling SSL in Postfix configuration ..
.. done
Testing with (url censored*) gives error message:
Cert NOT VALIDATED: unable to get local issuer certificate
[this may help: What Is An Intermediate Certificate
So email is encrypted but the domain is not verified
When I go to Webmin -> Servers -> Postfix Mail Server -> SMTP Authentication And Encryption
I see this:
Enable TLS encryption? (*) Yes ( ) No
TLS certificate file ( ) None (*) [etc/postfix/postfix.cert.pem]
TLS private key file ( ) None (*) [/etc/postfix/postfix.key.pem]
TLS certificate authority file ( ) None (*) [ ]
Note that TLS certificate authority file
is empty and the radio button is on the right side (by default).
When I click on [Save and Apply] without changing anything it gives error (like expected):
Error
Failed to save SMTP authentication and encryption : Missing or invalid TLS certificate authority file
When I change this part like this:
TLS certificate authority file (* ) None ( ) [ ]
there is no error message (Failed to save...), but it does not work (Cert NOT VALIDATED).
There is no file /etc/postfix/postfix.ca.pem
.
When I try this:
# cat /home/server.example.com/ssl.ca > /etc/postfix/postfix.ca.pem
And change these settings:
TLS certificate authority file ( ) None (*) /etc/postfix/postfix.ca.pem
And click on [Save and Apply], it works (Cert VALIDATED: ok).
The problem is that Virtualmin is not creating the /etc/postfix/postfix.ca.pem
file and not filling the corresponding field in the form.
- I am not posting the url of the app I use to test the server, because I often have issues with anti-spam software on your website. Don't want to trigger it again.
Comments
Submitted by JamieCameron on Sun, 03/19/2017 - 16:08 Comment #1
When you were in the original broken state, what did the
smtpd_tls_CAfile
line in/etc/postfix/main.cf
contain?Submitted by vstoykov on Sun, 03/19/2017 - 18:10 Comment #2
There was no smtpd_tls_CAfile line.
Submitted by vstoykov on Sun, 03/19/2017 - 18:16 Comment #3
I tested it again to confirm.
Broken state:
[root@server postfix]# grep smtp main.cf | grep file
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
Fixed state (after I changed configuration):
[root@server postfix]# grep smtp main.cf | grep file
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
Submitted by JamieCameron on Sun, 03/19/2017 - 18:44 Comment #4
If you run
ls -l /etc/postfix/postfix.*.pem
, does it show that all three files were updated at the same time?Also, was your webserver configured to use the Let's Encrypt CA cert?
Submitted by vstoykov on Sun, 03/19/2017 - 20:45 Comment #5
Yes, my server is working fine with the Let's Encrypt CA cert.
VIrtualmin is not writing the third file (/etc/postfix/postfix.ca.pem) at all, I need to manually copy it.
Virtualmin is only writing the first two files:
Copying certificate and key to Postfix files ..
.. wrote out certificate in /etc/postfix/postfix.cert.pem and key in /etc/postfix/postfix.key.pem
Enabling SSL in Postfix configuration ..
.. done
I am using the same certificate with Dovecot, it works.
Submitted by JamieCameron on Tue, 03/21/2017 - 01:16 Comment #6
Looking at the Virtualmin code, the only way I can see the behavior you are having being triggered is if the CA cert wasn't copied to Apache at all. Or are you using Nginx there?
Submitted by vstoykov on Thu, 05/04/2017 - 15:15 Comment #7
I am using Nginx.
Submitted by vstoykov on Thu, 05/04/2017 - 15:48 Comment #8
On another server I tested it with certbot (without using Virtualmin's feature to request Let's Encrypt certificate) with these settings and it works without
smtpd_tls_CAfile
:# grep ^smtpd /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_milters = inet:localhost:8891
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/letsencrypt/live/server.example.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/server.example.com/fullchain.pem
I tested it with these methods:
$ openssl s_client -starttls smtp -crlf -connect server.example.com:25
https://www.checktls.com/perl/live/TestReceiver.pl
https://www.wormly.com/test-smtp-server
Submitted by JamieCameron on Fri, 05/05/2017 - 12:00 Comment #9
Nginx is kind of troublesome in this case, because it insists that the CA cert be included in the main cert file.