Postfix, TLS and self-signed certificates

user3168961

10/23/22, 1:52 PM

I'm trying to set up postfix with TLS.

I've refreshed it by doing the following which removes the defaults so that tls enable-server update the main.cf file and generates certificates:

sudo postconf -X `postconf -nH | egrep '^smtpd(_|_enforce_|_use_)tls'`
sudo postfix tls enable-server
sudo postfix reload

Many instructions I've followed seem to indicate this is all that's required to enable TLS.

When I run the following...

openssl s_client -connect mailhost:25 -starttls smtp

I get the error:

Verification error: self signed certificate

This produces the error from my application:

stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:  
  error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

If I understand it, the enable-server command will generate a self-signed certificate for me and other sources tell me that's what's required.

Is there something I'm misunderstanding about self-signing and postfix? Why am I getting a validation error?

748

1 + 0

ssl

postfix

Score:1

Server

Steffen Ullrich

10/23/22, 3:33 PM

Self-signing certificate means that it is not issued by a publicly trusted certificate authority like Let's Encrypt. This means that the certificate will not be trusted by applications which just trust publicly issued certificates - i.e. most applications. That's why you get this validation error.

0 + 2

Thomas Ward

10/23/22, 3:37 PM

While there are ways to ignore invalid certificates (i.e TLS without validation, which is common in the SMTP+TLS world for the lazy people), you're 100% accurate that 'self signed' certificates will never be trusted by remote applications and such. You may want to mention to OP that if they intend for it to be valid and not trigger that error, they have to get a legitimate SSL certificate for use in their mail server.

Steffen Ullrich

10/23/22, 4:02 PM

@ThomasWard: While you are right in general, it is unfortunately nothing known about the use case of the OP. It might be a installation of Postfix to deliver local mails, it might be a company wide server or it might be an internet facing system. What kind of certificate to get and how to get would very much depend on the (unknown) use case though.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Postfix, TLS and self-signed certificates

TH: Postfix, TLS และใบรับรองที่ลงนามเอง

RO: Postfix, TLS și certificate autosemnate

RU: Postfix, TLS и самозаверяющие сертификаты

VI: Postfix, TLS và chứng chỉ tự ký

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.