If you are getting SSL or connection errors in applications such as Outlook, Thunderbird, WP Mail SMTP:
Problem:
Postfix was experiencing the following problems when making a TLS connection using certificates obtained with Let’s Encrypt:
1. TLS Handshake Failure: When checked with the OpenSSL test, errors such as "unable to verify the first certificate" or "verify error: self signed certificate in certificate chain" were received.
2. Incomplete Certificate Chain: Since Postfix did not provide the full certificate chain to the clients, the opposite servers could not verify the certificate.
4. Conflict with SNI (Server Name Indication): The vmail_ssl.map settings used to provide Postfix's SNI support were causing conflicts in some cases.
Solution
I followed the steps below to solve the problem:
1. Use the Correct Certificate Files
First, you should make sure that Postfix is using the correct certificate files. Go to the directory where your Let’s Encrypt certificates are located and make sure the following two files are correct:
Full Chain Certificate: fullchain.pem
Private Key: privkey.pem
Make sure you are using the correct certificates by adding or editing the following lines to your Postfix main configuration file (/etc/postfix/main.cf):
smtpd_tls_cert_file = /www/server/panel/vhost/letsencrypt/mail.YOURMAILDOMAIN.com/fullchain.pem
smtpd_tls_key_file = /www/server/panel/vhost/letsencrypt/mail.YOURMAILDOMAIN.com/privkey.pem
2. Refactor and Update SNI Map (vmail_ssl.map)
If you are using SNI, make sure that your map file (/etc/postfix/vmail_ssl.map) is configured correctly and that the hash Verify that the file is updated:
postmap /etc/postfix/vmail_ssl.map
systemctl restart postfix
If the SNI map is causing the problem, restart Postfix by writing the smtpd_tls_cert_file and smtpd_tls_key_file settings directly into main.cf for testing purposes:
systemctl restart postfix
Verify that the certificates are properly loaded. If the certificates now work, the SNI map may be faulty.
3. Check Read Permissions of Certificate Files
Make sure Postfix is allowed to read certificates:
chown root:root /www/server/panel/vhost/letsencrypt/mail.YOURMAILDOMAIN.com/*
chmod 644 /www/server/panel/vhost/letsencrypt/mail.YOURMAILDOMAIN.com/fullchain.pem
chmod 600 /www/server/panel/vhost/letsencrypt/mail.YOURMAILDOMAIN.com/privkey.pem
4. Test with OpenSSL
To test TLS connection after changes, run the following command:
openssl s_client -connect mail.YOURMAILDOMAIN.com:25 -starttls smtp
Verify the following information in the output:
There should be two blocks in the certificate chain (Let’s Encrypt root certificate and site certificate).
Verify return code: should be 0 (ok).
5. Restart Postfix
Restart Postfix after configuration changes:
systemctl restart postfix
Result
After following these steps, Postfix is now using the correct certificates for TLS connections and the certificate chain is presented to the clients in its entirety.
