copying certificate to postfix

How to replicate the bug:

Virtualmin -> server.example.com -> Server Configuration -> Manage SSL Certificate -> Let's Encrypt -> Request Certificate

Virtualmin -> server.example.com -> Server Configuration -> Manage SSL Certificate -> Current Certificate -> Copy to Postfix

Copying certificate and key to Postfix files ..
.. wrote out certificate in /etc/postfix/postfix.cert.pem and key in /etc/postfix/postfix.key.pem

Enabling SSL in Postfix configuration ..
.. done

Testing with (url censored*) gives error message:

      Cert NOT VALIDATED: unable to get local issuer certificate
      [this may help: What Is An Intermediate Certificate
      So email is encrypted but the domain is not verified

When I go to Webmin -> Servers -> Postfix Mail Server -> SMTP Authentication And Encryption I see this:

Enable TLS encryption? (*) Yes ( ) No
TLS certificate file  ( ) None (*) [etc/postfix/postfix.cert.pem]
TLS private key file  ( ) None (*) [/etc/postfix/postfix.key.pem]
TLS certificate authority file  ( ) None  (*) [                                     ]

Note that TLS certificate authority file is empty and the radio button is on the right side (by default).

When I click on [Save and Apply] without changing anything it gives error (like expected):

Error

Failed to save SMTP authentication and encryption : Missing or invalid TLS certificate authority file

When I change this part like this:

TLS certificate authority file  (* ) None  ( ) [                                     ]

there is no error message (Failed to save...), but it does not work (Cert NOT VALIDATED).

There is no file /etc/postfix/postfix.ca.pem .

When I try this:

# cat /home/server.example.com/ssl.ca > /etc/postfix/postfix.ca.pem

And change these settings:

TLS certificate authority file  ( ) None  (*) /etc/postfix/postfix.ca.pem

And click on [Save and Apply], it works (Cert VALIDATED: ok).

The problem is that Virtualmin is not creating the /etc/postfix/postfix.ca.pem file and not filling the corresponding field in the form.

  • I am not posting the url of the app I use to test the server, because I often have issues with anti-spam software on your website. Don't want to trigger it again.
Status: 
Active

Comments

When you were in the original broken state, what did the smtpd_tls_CAfile line in /etc/postfix/main.cf contain?

There was no smtpd_tls_CAfile line.

I tested it again to confirm.

Broken state:

[root@server postfix]# grep smtp main.cf | grep file
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem

Fixed state (after I changed configuration):

[root@server postfix]# grep smtp main.cf | grep file
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem

If you run ls -l /etc/postfix/postfix.*.pem , does it show that all three files were updated at the same time?

Also, was your webserver configured to use the Let's Encrypt CA cert?

Yes, my server is working fine with the Let's Encrypt CA cert.

VIrtualmin is not writing the third file (/etc/postfix/postfix.ca.pem) at all, I need to manually copy it.

Virtualmin is only writing the first two files:

Copying certificate and key to Postfix files ..
.. wrote out certificate in /etc/postfix/postfix.cert.pem and key in /etc/postfix/postfix.key.pem

Enabling SSL in Postfix configuration ..
.. done

I am using the same certificate with Dovecot, it works.

Looking at the Virtualmin code, the only way I can see the behavior you are having being triggered is if the CA cert wasn't copied to Apache at all. Or are you using Nginx there?

On another server I tested it with certbot (without using Virtualmin's feature to request Let's Encrypt certificate) with these settings and it works without smtpd_tls_CAfile:

# grep ^smtpd /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_milters = inet:localhost:8891
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/letsencrypt/live/server.example.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/server.example.com/fullchain.pem

I tested it with these methods:

$ openssl s_client -starttls smtp -crlf -connect server.example.com:25
https://www.checktls.com/perl/live/TestReceiver.pl
https://www.wormly.com/test-smtp-server

Nginx is kind of troublesome in this case, because it insists that the CA cert be included in the main cert file.