Hello there, After doing some search and testing, i've found that Client to Postfix Server is unable to verify the CN Cert chain. I fixed that adding the letsencrypt chain cert to Mail Server > Domain > SSL Why the generated Certs of Letsencrypt on aaPanel are not full? checktls.com Session Algorithm in use: Curve X25519 DHE(253 bits) Certificate #1 of 1 (sent by MX): Cert VALIDATION ERROR(S): unable to get local issuer certificate This may help: What Is An Intermediate Certificate So email is encrypted but the recipient domain is not verified if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } OpenSSL Start Time: 1656599502 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } With full chain Start Time: 1656599881 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } Thank you.

postfix ssl letsencrypt chain missing

Edu3D

Hello there,

After doing some search and testing, i've found that Client to Postfix Server is unable to verify the CN Cert chain.

I fixed that adding the letsencrypt chain cert to Mail Server > Domain > SSL

Why the generated Certs of Letsencrypt on aaPanel are not full?

checktls.com
	Session Algorithm in use: Curve X25519 DHE(253 bits)
Certificate #1 of 1 (sent by MX):
Cert VALIDATION ERROR(S): unable to get local issuer certificate
This may help: What Is An Intermediate Certificate
So email is encrypted but the recipient domain is not verified

OpenSSL

    Start Time: 1656599502
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0

With full chain

    Start Time: 1656599881
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0

Thank you.

aaPanel_Kern

Edu3D
Hi, can you tell us how you do it?

Edu3D

aaPanel_Kern

Sure.

aaPanel Postfix main.cf uses SNI. (vmail_ssl.map)

Certs placed here /www/server/panel/plugin/mail_sys/cert/ must have full chain.

You can test it (before and after) using:
openssl s_client -connect mail.domain.com:587 -starttls smtp

aaPanel_Kern

Edu3D
Hi, thanks, we will test it.