If you are using your own certificates for your domains mailstack (postfix, dovecot/cyrus) you probably run into some issues. In this cases it’s needed to check the configured certificates. This article describes how to do that.
Check Certificate
You can easily check the used certificate via console:
IMAP
root@ucs:~# openssl s_client -showcerts -connect <mailserver>:993
POP3
root@ucs:~# openssl s_client -showcerts -connect <mailserver>:995
SMTP
root@ucs:~# openssl s_client -showcerts -connect <mailserver>:465
Or if you prefer to us a webservice try https://de.ssl-tools.net/mailservers/
Change certificate settings
Normally the certificates are linked correctly against the defaults from /etc/univention/ssl/.
root@ucs:~# cd /etc/dovecot
root@ucs:/etc/dovecot# grep -r "\.pem" *
conf.d/10-ssl.conf:ssl_cert = < /etc/univention/ssl/master.domain.tld/cert.pem
dovecot-ldap.conf.ext:tls_ca_cert_file = /etc/univention/ssl/ucsCA/CAcert.pem
You might change this via the appropriate UCR-variables; please don’t change the configfiles itself, these changes aren’t persistent!
root@ucs:~# ucr info mail/dovecot/auth/ldap/cafile
mail/dovecot/auth/ldap/cafile: <empty>
The full path of the file containing the certificates of the certificate authority (CA) that Dovecot will use to connect to
the LDAP server. If the variable is unset /etc/univention/ssl/ucsCA/CAcert.pem is used.
root@ucs:~# ucr info mail/dovecot/ssl/certificate
mail/dovecot/ssl/certificate: <empty>
The full path name of SSL certificate that is used by Dovecot to establish SSL connections. If the variable is unset,
the local host certificate (/etc/univention/ssl/<FQDN>/cert.pem) is used.
root@ucs:~# ucr info mail/dovecot/ssl/key
mail/dovecot/ssl/key: <empty>
The full path name of SSL key file that is used by Dovecot to establish SSL connections. If the variable is unset the
local host key (/etc/univention/ssl/<FQDN>/private.key) is used.