Join Log in
Score:0
avatar Server

Can't get incoming mail over TLS for Postfix SMTP Relay

cn flag
websterm

I have a Postfix Ubuntu VM acting as a mail relay server, which accepts mail on port 25 and forwards it on to Microsoft Exchange online for delivery. This has been working fine for months.

Now I need to allow an SMTP client, which must use TLS, to also send e-mails via the relay. I have added the following to my Postfix main.cf:

smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_chain_files =
        ${cert_path}/cert.pem,
        ${cert_path}/chain.pem

However when I try swaks with the --tls-on-connect flag I get a "Connection refused" on ports 465 and 587. The old non-encrypted port 25 stuff still works. The pem files are generated by Let's Encrypt and the private key counter parts work for encrypting the outgoing mail to Exchange online. I have verified them with:

openssl verify -purpose sslserver  -partial_chain -CAfile /etc/letsencrypt/live/<server FQDN>/chain.pem /etc/letsencrypt/live/<server FQDN>/cert.pem

However, when I attempt to make a TLS connections from a SMTP client this appears in the log:

Mar 18 14:41:49 hermes postfix/smtpd[578652]: warning: error loading chain from /etc/letsencrypt/live/<server FQDN>/cert.pem: key not first
Mar 18 14:41:49 hermes postfix/smtpd[578652]: warning: error loading private keys and certificates from: /etc/letsencrypt/live/<server FQDN>/cert.pem,?/etc/letsencrypt/live/<server FQDN>/chain.pem: disabling TLS support

I suppose the question I am facing is how to use the Let's Encrypt SSL certificate for enabling TLS on my mail relay server.

71
0 + 0
ssl
Steffen Ullrich avatar
se flag
Steffen Ullrich
It is not fully clear for me what you are trying. But if you want to test port 25 with TLS use `--tls` and not `--tls-on-connect`.
0
Reply
Score:1
Nikita Kipriyanov avatar Server
za flag
Nikita Kipriyanov

Both Certbot's chain and cert files don't contain the server's private key. Both error message are just complaints about that. The key is only contained in the privkey file.

If you wish to use a single file with both key and certificates, you need to manually concatenate files (e.g. in a post-hook) and ensure the privkey contents goes first, then the cert, then the chain, in this exact order.

Notice, the fullchain file is already a concatenation of chain and cert in the correct order. Just point to this ready-made certificate file. Also Postfix doesn't need everything to be in a single file; there is specific option to point to the key file.

I use certbot with Postfix like this:

smtpd_tls_cert_file = /etc/letsencrypt/live/example.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/example.org/privkey.pem
0 + 0
ru flag
flinkflonk
Same here, in addition you need to remember to restart postfix when the keys get updated (assuming you do it automatically, which I do). So in my case I have this in /etc/letsencrypt/renewal/example.org.conf: ```post_hook = systemctl restart apache2 postfix dovecot ```
1
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
While this is certainly true, the question originally wasn't about certbot usage details, but about use of certbot-generated files in Postfix.
0
Reply
ru flag
flinkflonk
And while postfix monitors other files (files in the queue, mapping files etc.) it doesn't monitor the certificate files. Which is why I think my comment is valid.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.