Check mail certificates

dovecot
postfix
mailserver
certificates
mail
ucs-4

#1

If you are using your own certificates for your domains mailstack (postfix, dovecot/cyrus) you probably run into some issues. In this cases it’s needed to check the configured certificates. This article describes how to do that.

Check Certificate

You can easily check the used certificate via console:

IMAP

root@ucs:~# openssl s_client -showcerts -connect <mailserver>:993

POP3

root@ucs:~# openssl s_client -showcerts -connect <mailserver>:995

SMTP

root@ucs:~# openssl s_client -showcerts -connect <mailserver>:465

Or if you prefer to us a webservice try https://de.ssl-tools.net/mailservers/

Change certificate settings

Normally the certificates are linked correctly against the defaults from /etc/univention/ssl/.

root@ucs:~# cd /etc/dovecot
root@ucs:/etc/dovecot# grep -r "\.pem" *
conf.d/10-ssl.conf:ssl_cert = < /etc/univention/ssl/master.domain.tld/cert.pem
dovecot-ldap.conf.ext:tls_ca_cert_file = /etc/univention/ssl/ucsCA/CAcert.pem

You might change this via the appropriate UCR-variables; please don’t change the configfiles itself, these changes aren’t persistent!

root@ucs:~# ucr info  mail/dovecot/auth/ldap/cafile
mail/dovecot/auth/ldap/cafile: <empty>
 The full path of the file containing the certificates of the certificate authority (CA) that Dovecot will use to connect to 
the LDAP server. If the variable is unset /etc/univention/ssl/ucsCA/CAcert.pem is used.

root@ucs:~# ucr info mail/dovecot/ssl/certificate
mail/dovecot/ssl/certificate: <empty>
 The full path name of SSL certificate that is used by Dovecot to establish SSL connections. If the variable is unset, 
the local host certificate (/etc/univention/ssl/<FQDN>/cert.pem) is used.

root@ucs:~# ucr info mail/dovecot/ssl/key
mail/dovecot/ssl/key: <empty>
 The full path name of SSL key file that is used by Dovecot to establish SSL connections. If the variable is unset the
local host key (/etc/univention/ssl/<FQDN>/private.key) is used.

#2

#3