1 (edited by rombosgt 2019-11-20 14:15:31)

Topic: SSL trouble

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? Downloadable installer
- Linux/BSD distribution name and version: Debian 9.8.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi, I'm not very good at this and I really need your help.

We have Pfsense with a self-signed CA. I need to set up a Thunderbird with SSL support. Pfsense must validate the client and server certificate. I followed this instruction https://docs.iredmail.org/use.a.bought. … cate.html:
1. Created in iRedMail a key and a request for signing.
2. Signed a request in Pfsense.
3. Pfsense gave me three files: .crt, .key, .p12.
4. I copied the .crt and .key files to /etc/ssl/certs and /etc/ssl/private (renamed them to iRedMail.crt and iRedMail.key).
5. Also, I placed the Pfsense CA file in /etc/ssl/certs/CA.crt and in the /etc/postfix/main.cf added the path to this CA file:

smtpd_tls_CAfile = /etc/ssl/certs/CA.crt

6. Restarted the server.

Added all these certificates to Thunderbird, but it still gives a message that "the certificate was not found on mydomain:110" with a proposal to add an exception.

What am I doing wrong? Tell me at least in what direction to look for a problem

Thank you

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: SSL trouble

You should request a free cert instead, not self-signed one:
https://docs.iredmail.org/letsencrypt.html

3

Re: SSL trouble

ZhangHuangbin wrote:

You should request a free cert instead, not self-signed one:
https://docs.iredmail.org/letsencrypt.html

I need to use a Pfsense certificate. But I found the next problem: even if I want to view certificates with command

openssl s_client -connect mail.mydomain.com:110 -showcerts

after a few minutes it gives me:

140317071503424:error:0200206E:system library:connect:Connection timed out:../crypto/bio/b_sock2.c:108:
140317071503424:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:109:
connect:errno=110