If you are using your own certificates for your domains mailstack (postfix, dovecot/cyrus) you probably run into some issues. In this cases it’s needed to check the configured certificates. This article describes how to do that.
You can easily check the used certificate via console:
root@ucs:~# openssl s_client -showcerts -connect <mailserver>:993
root@ucs:~# openssl s_client -showcerts -connect <mailserver>:995
root@ucs:~# openssl s_client -showcerts -connect <mailserver>:465
Or if you prefer to us a webservice try https://de.ssl-tools.net/mailservers/
Change certificate settings
Normally the certificates are linked correctly against the defaults from
root@ucs:~# cd /etc/dovecot root@ucs:/etc/dovecot# grep -r "\.pem" * conf.d/10-ssl.conf:ssl_cert = < /etc/univention/ssl/master.domain.tld/cert.pem dovecot-ldap.conf.ext:tls_ca_cert_file = /etc/univention/ssl/ucsCA/CAcert.pem
You might change this via the appropriate UCR-variables; please don’t change the configfiles itself, these changes aren’t persistent!
root@ucs:~# ucr info mail/dovecot/auth/ldap/cafile mail/dovecot/auth/ldap/cafile: <empty> The full path of the file containing the certificates of the certificate authority (CA) that Dovecot will use to connect to the LDAP server. If the variable is unset /etc/univention/ssl/ucsCA/CAcert.pem is used. root@ucs:~# ucr info mail/dovecot/ssl/certificate mail/dovecot/ssl/certificate: <empty> The full path name of SSL certificate that is used by Dovecot to establish SSL connections. If the variable is unset, the local host certificate (/etc/univention/ssl/<FQDN>/cert.pem) is used. root@ucs:~# ucr info mail/dovecot/ssl/key mail/dovecot/ssl/key: <empty> The full path name of SSL key file that is used by Dovecot to establish SSL connections. If the variable is unset the local host key (/etc/univention/ssl/<FQDN>/private.key) is used.