Wayne Spivak: > Hi Wietse, > > It's been a very long time since we communicated. > > This from SSL Labs states "self-signed": > > Path #1: Not trusted (path does not chain to a trusted anchor) > 1 Sent by server mcq.sbanetweb.com > Fingerprint SHA256: > 1b48d54fd173fa980ca0ba8e2bbb5aabce3bbb9faf67bae4f375816155699efe > Pin SHA256: D9BrKzFpjkpGhv91bgkZqQIWlqPNIHPHmIhYYwDChGY= > RSA 2048 bits (e 65537) / SHA256withRSA > 2 Sent by server > Not in trust store mcq.sbanetweb.com Self-signed > Fingerprint SHA256: > 1ff50fe2d898b639ee07e668b4a4acf5c3f878539a24be6edc3cc011991a9db3 > Pin SHA256: 2gJ7C4jfxgMQJMF09EznMu8UGd5sdBmQDyPrv5pIcHU= > RSA 4096 bits (e 65537) / SHA256withRSA > > If it is an Intermediate, I refer to my orginal email, "where am I going > wrong".
Are you sure that this test connected to port 25, not 443? Wietse > Wayne > > -----Original Message----- > From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On > Behalf Of Wietse Venema > Sent: Wednesday, January 19, 2022 1:03 PM > To: Wayne Spivak <wspi...@sbanetweb.com> > Cc: postfix-users@postfix.org > Subject: Re: TLS returning self-signed cert > > Wayne Spivak: > > My Postfix Server 3.6.2 running on a newly created Fedora 35 is > > returning self-signed SSL certs, where none were configured. > > Why do you believe that this is a self-signed certifcate? > > Isn't this an issue where the server returns a leaf certificate without > intermediate certificates? > > Wietse > > > We're using a multi-cert Entrust certificate. All domains on the box > > get email from one single mx domain. > > > > To be clear TLS works, but if I run SSL Labs report it comes back as > > Not being Trusted. > > > > Running CheckTLS.com, this is the error > > > > Certificate #1 of 1 (sent by MX): > > Cert VALIDATION ERROR(S): unable to get local issuer > > certificate This may help: What Is An Intermediate Certificate > > So email is encrypted but the recipient domain is not verified > > ... > > TLS successfully started on this server > > > > I have all files in the same directory, ServerCert.pem (from Entrust), > > Bundle2.crt (from Entrust), CA-combines (private key/Server Cert). > > > > No other file is configured in either Dovecot 2.3.17.1 (476cd46418) > > points to the same directory and files. > > > > The Cert serial number is coming back wrong using SSL Labs, but a web > > site (on same server) returns the correct serial number (remember > > everything points to the same files) > > > > I've confirmed the Cert is correct and the private key as well. > > > > I've tried changing the CAFile to include/not include Server > > Certificate, Intermediate, Root, Private Key and either TLS dies, or > > it "works", but the above error is obtained. > > > > I'm at a dead-end as far as researching the error goes. > > > > Where am I going wrong.. > > > > > > > > > >