Postfix SSL certificates with Comodo (PostivieSSL) - "Unknown Authority"

I have an issue with my mail server running a postfix/dovecot setup, essentially when I run the various security tests I get told that my certificates can't be validated, see here: https://ssl-tools.net/mailservers/brailsford.xyz

The certificates and related files I have available (which are valid as per https://brailsford.xyz) are:

  • AddTrustExternalCARoot.crt
  • brailsford_xyz.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt

I also have my key file for the crt, brailsford_xyz.key

My setup in postfix is:

smtpd_tls_cert_file=/etc/ssl/certs/postfixchain.crt
smtpd_tls_key_file=/etc/ssl/private/brailsford.key
smtpd_tls_CAfile=/etc/ssl/certs/COMODORSADomainValidationSecureServerCA.crt
smtpd_use_tls=yes

The postfix chain is a combination of three of the certs from earlier, in the following order:

  1. brailsford_xyz.crt
  2. COMODORSADomainValidationSecureServerCA.crt
  3. AddTrustExternalCARoot.crt

Can anyone advise as to what I'm doing wrong and how I can rectify it?


Solution 1:

It seems your SSL certificate chain is not complete (or rather missing a link). Look at what openssl s_client returns when I connect to your mail server:

$ openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -starttls smtp -connect brailsford.xyz:587
CONNECTED(00000003)
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=brailsford.xyz
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---

As you can see there is a certificate with issuer (i) of "/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority" but the chain does not contain a certificate issued to that subject by a trusted CA (or a further intermediate CA).

As far as I can tell you are missing at least this certificate (as the third link in your chain): https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/966/108/intermediate-1-sha-2-comodo-rsa-certification-authority

That is serial number 27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22 and Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority

Solution 2:

Your directive:

smtpd_tls_CAfile=/etc/ssl/certs/COMODORSADomainValidationSecureServerCA.crt

is odd. You probably don't want to specify it at all - it is for the CA that issues client certificates if you are using client certificate authentication. It is not for your chain.

Normally it is enough to put your certificate followed by each of its intermediate CA certificates, in PEM format, concatenated together in the smtpd_tls_cert_file. It is not necessary to specify the root. Double-check that you are using the correct certificates there.

The error ssl-tools.net is giving is a little cryptic. Consider using openssl s_client to check for problems.