Problem with ssl intermediate certificate

This is the Mailtraq Peer Support forum. Get assistance using and managing Mailtraq, and help others solve problems too.

Problem with ssl intermediate certificate

Postby RAWatts » Sun Jun 14th, 2015 10:42am

Mailtraq Version: 2.17.7.3560

Hello all.

I'm having some difficulty in getting my certificate recognised. I have obtained a certificate for my mail server from my domain registrar (Gandi) and have also got their intermediate CA cert. I have concatenated these, together with my private key and inported them into Mailtraq, seemingly successfully. However, it looks like the certificate chain is not being provided by Mailtraq.

When I try this:

Code: Select all
openssl s_client -CApath /etc/ssl/certs -connect mail.glenparva.com:995


I get:

Code: Select all
 Verify return code: 21 (unable to verify the first certificate)


as the error message.

Digicert's ssl checker,

https://www.digicert.com/help/

shows no chained certificate.

I also tried converting the individual pem format certs to a pfx file, but got the same results.

Can anyone help me with this?

Regards, Rob.
RAWatts
 
Posts: 11
Joined: Sun Jul 08th, 2012 2:23pm

Re: Problem with ssl intermediate certificate

Postby Martin Clayton » Sun Jun 14th, 2015 12:09pm

RAWatts wrote:no chained certificate


Aiui, a quirk of Mailtraq's tls implementation requires that intermediaries are hard-coded. Presumably, that's http://crt.gandi.net/GandiStandardSSLCA.crt and/or http://crt.gandi.net/GandiProSSLCA.crt listed at gandi. So, I guess it's one for Elric and the release notes.

If you're stuck, recent Mailtraq builds support StartSSL, including the free class 1. (I'm currently using a class 2 wildcard).
User avatar
Martin Clayton
Expert User
 
Posts: 529
Joined: Sat Jan 15th, 2005 8:20am
Location: London, UK

Re: Problem with ssl intermediate certificate

Postby RAWatts » Sun Jun 14th, 2015 3:03pm

Thanks for your reply Martin.

This is all a bit new to me I'm afraid, so just to make sure I understand you, are you saying that this is something that Elric needs to look at, or something I can sort out myself.

What I want to be able to do is to collect my mail from my Mailtraq server using Gmail. They don't allow self signed certs and so I went and got some from Gandi, as they are free for a year. I could do it all unencrypted, but...

I can collect mail from the POP3S server locally no problem, and Outlook2013 makes not a murmur about my certificate. I also turned on strong encryption, but was having these problems even before I did that.

I used this utility to obtain the intermediate certs.

https://github.com/zakjan/cert-chain-resolver

Regards, Rob.
RAWatts
 
Posts: 11
Joined: Sun Jul 08th, 2012 2:23pm

Re: Problem with ssl intermediate certificate

Postby Martin Clayton » Sun Jun 14th, 2015 3:36pm

RAWatts wrote:just to make sure I understand you, are you saying that this is something that Elric needs to look at

Yup, aiui, the intermediary certificates have to be hardcoded in the .exe so you'll only get the full chain if your build supports the intermediary. In this case, I'm assuming that Mailtraq doesn't currently support the gandi intermediaries.

RAWatts wrote:What I want to be able to do is to collect my mail from my Mailtraq server using Gmail. They don't allow self signed certs

Would it make sense to forward messages to your gmail account (smtp) so that gmail doesn't have to pull (pop3/imap) from Mailtraq?
User avatar
Martin Clayton
Expert User
 
Posts: 529
Joined: Sat Jan 15th, 2005 8:20am
Location: London, UK

Re: Problem with ssl intermediate certificate

Postby RAWatts » Sun Jun 14th, 2015 4:13pm

Aha, thats what I'm doing at the moment. :D However, I've recently had one or two "issues" with mail from yahoo addresses and their dmarc policy. I thought this change might fix that.

I've just had a go with a Startssl class 1 cert along with their intermediate certs, but no joy, still the same error.

In the release notes for the Maitraq build I'm using is the intriguing comment:

Force Certificate Chain for TLS


which makes me wonder...

Thank you for taking the time to help me, it's much appreciated.

Regards, Rob.
RAWatts
 
Posts: 11
Joined: Sun Jul 08th, 2012 2:23pm

Re: Problem with ssl intermediate certificate

Postby Martin Clayton » Mon Jun 15th, 2015 6:51am

RAWatts wrote:had a go with a Startssl class 1 cert along with their intermediate certs, but no joy


Ah, sorry, I think you need build .3566 or above which is unpublished beta territory; if you're feeling plucky, punk, <g> you could try 3568 or 3572 or (3566, 3570 & 3574 are multi-domain) but check the exe file properties shows version '2.17' before installing anything.
User avatar
Martin Clayton
Expert User
 
Posts: 529
Joined: Sat Jan 15th, 2005 8:20am
Location: London, UK

Re: Problem with ssl intermediate certificate

Postby RAWatts » Mon Jun 15th, 2015 2:04pm

Martin Clayton wrote:Ah, sorry, I think you need build .3566 or above which is unpublished beta territory


Is there a link to the beta downloads. They seem hard to find.
RAWatts
 
Posts: 11
Joined: Sun Jul 08th, 2012 2:23pm

Re: Problem with ssl intermediate certificate

Postby Martin Clayton » Mon Jun 15th, 2015 2:56pm

RAWatts wrote:a link to the beta downloads

They reside here:

Code: Select all
http://resources.mailtraq.com/files/MailtraqWixSetupXXXX.exe
User avatar
Martin Clayton
Expert User
 
Posts: 529
Joined: Sat Jan 15th, 2005 8:20am
Location: London, UK

Re: Problem with ssl intermediate certificate

Postby RAWatts » Mon Jun 15th, 2015 5:51pm

Martin Clayton wrote:
RAWatts wrote:a link to the beta downloads

They reside here:

Code: Select all
http://resources.mailtraq.com/files/MailtraqWixSetupXXXX.exe


No joy I'm afraid. 3566 and 3572 stopped accepting mail from Gmail, so I rolled back my VM. Maybe I can get Stunnel working... :)

Regards, Rob.
RAWatts
 
Posts: 11
Joined: Sun Jul 08th, 2012 2:23pm

Re: Problem with ssl intermediate certificate

Postby Martin Clayton » Tue Jun 16th, 2015 7:17am

RAWatts wrote:3566 and 3572 stopped accepting mail from Gmail

That's not the progress I was expecting. ;) Did the log or error message point at anything specific?

I'm stuffed for time this week but I'll try and test a Class 1 response next. A StartSSL Class 2, imported as pfx, on multi-domain 3566 (you didn't really try that did you?) works better than ever - full chain, Common Name matching via wildcard, no issues with gmail, etc. I've only tested with SslStrong=1 set on all relevant services in system.cfg. NB some of the ssl test sites - I think you cited one earlier - will still report some vulnerabilities (e.g, mitm) which I expect is work-in-progress.
User avatar
Martin Clayton
Expert User
 
Posts: 529
Joined: Sat Jan 15th, 2005 8:20am
Location: London, UK

Re: Problem with ssl intermediate certificate

Postby RAWatts » Wed Jun 17th, 2015 1:29pm

Martin Clayton wrote:
RAWatts wrote:3566 and 3572 stopped accepting mail from Gmail

That's not the progress I was expecting. ;) Did the log or error message point at anything specific?



I've set up a test environment so I can mess about with impunity without breaking my day to day setup. SMTP is now working in explicit mode.

3572 still won't work on POP3S, either in implicit or explicit mode, using my StartSSL cert.

In explicit mode I get "Server returned error: "SSL protocol error. Please try disabling SSL, or contact your other provider to verify the correct port settings.""

In implicit mode I get "Server returned error: "SSL error: unable to verify the first certificate""

Anyone actually got this working with Gmail, Mailtraq and POP3S? If so, could you share your setup?

Regards, Rob.
RAWatts
 
Posts: 11
Joined: Sun Jul 08th, 2012 2:23pm

Re: Problem with ssl intermediate certificate

Postby RAWatts » Sat Jun 27th, 2015 1:13pm

RAWatts wrote:I've set up a test environment so I can mess about with impunity without breaking my day to day setup. SMTP is now working in explicit mode.


Just a further bit of data, in case anyone's trying to get this working.

I have set up a POP server (Dovecot), and retrieving mail from it in Gmail using POP3S and my StartSSL class 1 cert works fine, so it's definitely a problem with Mailtraq.

Is 3572 the latest beta of Mailtraq? I'd really like to stay with it if possible.

Regards, Rob.
RAWatts
 
Posts: 11
Joined: Sun Jul 08th, 2012 2:23pm

Re: Problem with ssl intermediate certificate

Postby masaruta4at » Sun Sep 06th, 2015 12:50am

:D :D :D :D Opss sorry, wrong thread.
masaruta4at
 
Posts: 1
Joined: Sun Sep 06th, 2015 12:46am

Re: Problem with ssl intermediate certificate

Postby HAERAY » Tue Oct 06th, 2015 5:51am

Mailtraq Version: 2.17.7.3562
Comodo SSL

Hello All,

Anything new on this matter... I'm in a very similar boat and it's adrift.

Thanks,
RAy
HAERAY
 
Posts: 2
Joined: Tue Oct 06th, 2015 4:59am

Re: Problem with ssl intermediate certificate

Postby RAWatts » Tue Oct 06th, 2015 9:23am

HAERAY wrote:Mailtraq Version: 2.17.7.3562
Comodo SSL

Hello All,

Anything new on this matter... I'm in a very similar boat and it's adrift.

Thanks,
RAy


Hi.

I've let this lie for the moment. I'm forwarding my mail from Mailtraq to a Dovecot server and picking it up from there in GMail using POP3S. It works, but I'd rather it was all being done in Mailtraq. I'm sure that one day it will be sorted.

Regards, Rob.
RAWatts
 
Posts: 11
Joined: Sun Jul 08th, 2012 2:23pm

Next

Return to Mailtraq Support

Who is online

Users browsing this forum: No registered users and 4 guests

cron