This has been driving me absolutely crazy, so far I’ve managed to send mail and receive via the SoGo panel, however I would like to setup SMTP with SSL, in order to use externally such as Wordpress or outlook.
I have certificates in data/assets/ssl/acme.
However postfix is throwing: warning: TLS library problem: error:0A000416:SSL routines::sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1605:SSL alert number 46:
When checking SMTP with port 587 I get this

SMTP send error
The` remote certificate is invalid because of errors in the certificate chain: UntrustedRoot

I have also renewed the certificates using touch data/assets/ssl/force_renew

I would seriously appreciate any help on this topic, thank you.

  • DocFraggle

    • Community Hero
    Moolevel 278
  • Post #2

Paste the log of your acme container, you should see if something went wrong issuing the certificate

    Have something to say?

    Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

    • DocFraggle

      • Community Hero
      Moolevel 278
    • Post #4

    Your DNS entries are wrong, see the log

    And autodiscover and autoconfig are missing completely

      DocFraggle
      Would this be because the domain mail.shadowycollectibles.co.uk is on cloudflare (proxy)
      Annoyingly I use that domain for the UI web panel, and all SFTP and DNS records are on MX.shadowycollectibles.co.uk
      without Proxy.

        • DocFraggle

          • Community Hero
          Moolevel 278
        • Post #6

        If you are running this behind a reverse proxy (Cloudflare), you have to create the certificate there and copy it to you mailcow instance…

        I don’t understand why so many people use Cloudflare for their web UI lately… 80% of the problems posted here are due to reverse proxy problems….

          DocFraggle I have already done this, and specified mailcow to use my cert and key files. yet I was getting a Unknown CA Error, thus didn’t work.
          Would you recommend then, to turn off proxy on mail.shadowycollectibles.co.uk?
          So mail and mx aren’t using reverse proxy?

              DocFraggle Okay so I’ve followed that again, I’ve inputted my cloudflare key and cert into /data/assets/ssl/cert.pem/key.pem
              Then added SKIP_LETS_ENCRYPT=y into mailcow.cnf
              Turned off reverse proxy on mail.
              Now I’m getting this.

                  • DocFraggle

                    • Community Hero
                    Moolevel 278
                  • Post #10

                  whiterose Turned off reverse proxy on mail.

                  If you turned it off, use the default ACME mechanism

                  Your generated certificate is missing the MX.mail…. SAN now

                      • DocFraggle

                        • Community Hero
                        Moolevel 278
                      • Post #12
                      • Edited

                      So first of all, you don’t have a reverse DNS entry:

                      mxtoolbox.com Icon Network Tools: DNS,IP,Email

                      mxtoolbox.com Icon mxtoolbox.com
                      Network Tools: DNS,IP,Email
                      DNS and Network troubleshooting and diagnostic tools integrated into one sweet interface.
                      waitUpgrade Feature BadgeUpgrade Feature Badge
                      #

                      Then, your certificate chain is missing the ICA certificate(s), that’s the reason why it’s throwing this error. You have to add all relevant ICA certificates from Cloudflare to your cert.pem file as well!

                      SSL Server Test: mail.shadowycollectibles.co.uk (Powered by Qualys SSL Labs)

                      ssllabs.com
                      SSL Server Test: mail.shadowycollectibles.co.uk (Powered by Qualys SSL Labs)
                      SSL Labs logossllabs.comssllabs.com

                      But as it’s still showing the Cloudflare certificate, something went wrong while reissuing or you forgot to reissue your Letsencrypt certificate.

                      4 days later

                      I use mailcow behind NPM (nginx-proxy-manager) and I had this same problem two days ago. I’m going to write the solution I did for my case, which might help you find your specific problem.

                      INTRODUCTION

                      After the certificates for the receiving and sending protocols expired, the email managers lost communication with the server and the following error appeared in the mailcow-postfix logs:

                      TLS library problem: error:0A000416:SSL routines::sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1605:SSL alert numb

                      After a lot of research, I discovered that the problem wasn’t the firewall, DNS or many other suggestions from the forums. In fact, the problem was that I needed to use the reverse proxy certificates in mailcow.

                      SOLUTION

                      The problem is between the reverse proxy and the Let’s Encrypt certificate.

                      IMPORTANT:

                      a. Before performing the procedures, make a backup;
                      b. Perform a ‘docker-compose down’. This should be done before changing the certificate files and changing mailcow.conf (if necessary);
                      c. After the procedure, perform a ‘docker-compose up -d’.

                      1. Create a certificate with the name mail.domain.com and download this certificate from the NPM SSL menu.
                      2. After downloading, you need to copy the cert3.pem file to cert.pem and privkey3.pem to key.pem in the /opt/mailcow-dockerized/data/assets/ssl folder, replacing the ones that are already there. 3. In the mailcow.conf file in the /opt/mailcow-dockerized directory, set HTTP-PORT to 8080, or any port you don’t already use, HTTP_BIND to 127.0.0.1, HTTPS-PORT to 8443, or another port number that isn’t already in use, and HTTPS_BIND to 127.0.0.1.
                      3. In NPM, set the ‘Target’ to the name of the Docker container (mailcowdockerized-nginx-mailcow-1) or the IP address of the container, and the port number to 8443 (HTTPS-PORT in mailcow.conf), block common exploits, set Websockets-support to enabled, set the SSL certificate, and force SSL on the SSL page.
                      4. You must place the mailcowdockerized-nginx-mailcow-1 container on the same network as ngix-proxy-manager. Leave them on both networks.

                      The certificates should work again.

                      No one is typing