On 9/05/2025 9:08 am, Dan Mahoney wrote:
There’s only one certificate in your chain, you need to send the intermediate cert as well.The cert you’re signing with isn’t trusted by browsers. Certificate chain 0 s:CN = rollcage13.aboc.net.au i:C = US, O = Let's Encrypt, CN = R10 Arguably, this is even worse than being self-signed. Compared with my sendmail (stop laughing) server:
Not laughing at all, many -many- years ago I did a lot of work with Sendmail (before the m4 stuff, that long ago!) - very valuable lesson was learned; Don't leave your email address in a sendmail config file as a "I did it this way" note, or for -decades- you will get "help!" emails! If you did enough Sendmail stuff, perl's line noise didn't seem so bad.
But - I don't really understand what you're saying here. I think I need to RTFM on this again.
Certificate chain 0 s:CN = prime.gushi.org i:C = US, O = Let's Encrypt, CN = E5 1 s:C = US, O = Let's Encrypt, CN = E5 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 I believe if you just point postfix at your cert chain, it will do the right thing as long as the certs are in the correct order. -DanOn May 8, 2025, at 15:34, Carl Brewer via Postfix-users <[email protected]> wrote: Hi, I've been running postscript on a FreeBSD 13.x server with Letsencrypt running as a cron job to keep SSL certs up to date automagically : in main.cf : smtpd_tls_security_level = may smtpd_tls_cert_file = /usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au/cert.pem smtpd_tls_key_file = /usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au/privkey.pem As best I can tell, this has worked for a number of years without issue. I've noticed this error of late : May 9 08:15:44 rollcage13 postfix/smtpd[88039]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 42: And some mail isn't making it through - I guess it's possible that the above config never worked and I didn't notice, but I suspect this is a new thing. When I check the SSL config using the ssl-tools.net checks, I'm seeing "Unknown Authority" as the error, but also seeing a cert that looks ok : From : https://ssl-tools.net/mailservers/rollcage13.aboc.net.au Certificates First seen at: a day ago CN=rollcage13.aboc.net.au Certificate chain rollcage13.aboc.net.au 40 days remaining 2048 bit sha256WithRSAEncryption Unknown Authority R10 Subject Common Name (CN) rollcage13.aboc.net.au Alternative Names rollcage13.aboc.net.au Apart from the "Unknown Authority" it looks fine. Permissions in the cert directory are all ok, or at least, all the same, so if it can read one bit it can read them all : rollcage13:/usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au # ls -la total 16 drwxr-xr-x 2 root wheel 7 Mar 18 05:08 . drwxr-s--- 3 root readcirts 4 Sep 19 2021 .. -rw-r--r-- 1 root wheel 692 Sep 19 2021 README lrwxr-xr-x 1 root wheel 47 Mar 18 05:08 cert.pem -> ../../archive/rollcage13.aboc.net.au/cert23.pem lrwxr-xr-x 1 root wheel 48 Mar 18 05:08 chain.pem -> ../../archive/rollcage13.aboc.net.au/chain23.pem lrwxr-xr-x 1 root wheel 52 Mar 18 05:08 fullchain.pem -> ../../archive/rollcage13.aboc.net.au/fullchain23.pem lrwxr-xr-x 1 root wheel 50 Mar 18 05:08 privkey.pem -> ../../archive/rollcage13.aboc.net.au/privkey23.pem any suggestions, I'm no wizz when it comes to SSL setups, and am pretty rusty here. _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
_______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
