Postfix - TLS library problem / LE / Certificate Unknown

whiterose

This has been driving me absolutely crazy, so far I’ve managed to send mail and receive via the SoGo panel, however I would like to setup SMTP with SSL, in order to use externally such as Wordpress or outlook.
I have certificates in data/assets/ssl/acme.
However postfix is throwing: warning: TLS library problem: error:0A000416:SSL routines::sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1605:SSL alert number 46:
When checking SMTP with port 587 I get this

SMTP send error
The` remote certificate is invalid because of errors in the certificate chain: UntrustedRoot

I have also renewed the certificates using touch data/assets/ssl/force_renew

I would seriously appreciate any help on this topic, thank you.

DocFraggle

Paste the log of your acme container, you should see if something went wrong issuing the certificate

whiterose

DocFraggle

Your DNS entries are wrong, see the log

And autodiscover and autoconfig are missing completely

whiterose

DocFraggle
Would this be because the domain mail.shadowycollectibles.co.uk is on cloudflare (proxy)
Annoyingly I use that domain for the UI web panel, and all SFTP and DNS records are on MX.shadowycollectibles.co.uk
without Proxy.

DocFraggle

If you are running this behind a reverse proxy (Cloudflare), you have to create the certificate there and copy it to you mailcow instance…

I don’t understand why so many people use Cloudflare for their web UI lately… 80% of the problems posted here are due to reverse proxy problems….

whiterose

DocFraggle I have already done this, and specified mailcow to use my cert and key files. yet I was getting a Unknown CA Error, thus didn’t work.
Would you recommend then, to turn off proxy on mail.shadowycollectibles.co.uk?
So mail and mx aren’t using reverse proxy?

DocFraggle

whiterose specified mailcow to use my cert and key files

Where did you specify that? Please read the docs:

https://docs.mailcow.email/post_installation/firststeps-ssl/#how-to-use-your-own-certificate

whiterose Would you recommend then, to turn off proxy on mail.shadowycollectibles.co.uk?

This would definitely cause less problems

whiterose

DocFraggle Okay so I’ve followed that again, I’ve inputted my cloudflare key and cert into /data/assets/ssl/cert.pem/key.pem
Then added SKIP_LETS_ENCRYPT=y into mailcow.cnf
Turned off reverse proxy on mail.
Now I’m getting this.

DocFraggle

whiterose Turned off reverse proxy on mail.

If you turned it off, use the default ACME mechanism

Your generated certificate is missing the MX.mail…. SAN now

whiterose

DocFraggle set SKIP_LETS_ENCRYPT=n
now getting

DocFraggle

So first of all, you don’t have a reverse DNS entry:

https://mxtoolbox.com/SuperTool.aspx?action=smtp%3Amail.shadowycollectibles.co.uk&run=toolpage#

Then, your certificate chain is missing the ICA certificate(s), that’s the reason why it’s throwing this error. You have to add all relevant ICA certificates from Cloudflare to your cert.pem file as well!

https://www.ssllabs.com/ssltest/analyze.html?d=mail.shadowycollectibles.co.uk

But as it’s still showing the Cloudflare certificate, something went wrong while reissuing or you forgot to reissue your Letsencrypt certificate.

justinojjsj

I use mailcow behind NPM (nginx-proxy-manager) and I had this same problem two days ago. I’m going to write the solution I did for my case, which might help you find your specific problem.

INTRODUCTION

After the certificates for the receiving and sending protocols expired, the email managers lost communication with the server and the following error appeared in the mailcow-postfix logs:

TLS library problem: error:0A000416:SSL routines::sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1605:SSL alert numb

After a lot of research, I discovered that the problem wasn’t the firewall, DNS or many other suggestions from the forums. In fact, the problem was that I needed to use the reverse proxy certificates in mailcow.

SOLUTION

The problem is between the reverse proxy and the Let’s Encrypt certificate.

IMPORTANT:

a. Before performing the procedures, make a backup;
b. Perform a ‘docker-compose down’. This should be done before changing the certificate files and changing mailcow.conf (if necessary);
c. After the procedure, perform a ‘docker-compose up -d’.

Create a certificate with the name mail.domain.com and download this certificate from the NPM SSL menu.
After downloading, you need to copy the cert3.pem file to cert.pem and privkey3.pem to key.pem in the /opt/mailcow-dockerized/data/assets/ssl folder, replacing the ones that are already there. 3. In the mailcow.conf file in the /opt/mailcow-dockerized directory, set HTTP-PORT to 8080, or any port you don’t already use, HTTP_BIND to 127.0.0.1, HTTPS-PORT to 8443, or another port number that isn’t already in use, and HTTPS_BIND to 127.0.0.1.
In NPM, set the ‘Target’ to the name of the Docker container (mailcowdockerized-nginx-mailcow-1) or the IP address of the container, and the port number to 8443 (HTTPS-PORT in mailcow.conf), block common exploits, set Websockets-support to enabled, set the SSL certificate, and force SSL on the SSL page.
You must place the mailcowdockerized-nginx-mailcow-1 container on the same network as ngix-proxy-manager. Leave them on both networks.

The certificates should work again.