Getting 'Certificate expired' when trying to send mail

Brook · October 6, 2024, 6:12pm

Hi Joe, mail has been set up as pop/smtp on the server and I am getting the error when trying to send email from my computer (Apple Mail) as well as from software running on the server which has been configured to send mail.

They both say the certificate has expired (and indeed are showing the expiry date of the old cert). Where are the log entries? I’m guessing there won’t be any on the virtualmin server as it’s the clients that are rejecting the sending (they are reporting the cert as expired so are refusing to send).

I do not use virtualmin to create/update the certs. We use HAProxy on the server so HAProxy handles all of the SSL. A script runs Certbot twice daily to update any certs that are due to expire and our custom script then copies them to the locations as per this thread. The script then restarts dovecot and postfix with systemctl restart postfix and systemctl restart dovecot.

There is where they are copied to:

How to configure SSL for Dovecot/Postfix manually?

2) Copy the letsencrypt files to /home/domain.com/ named to what Virtualmin expects

I.e:

DOMAIN='NAMEHERE.com' sudo -E bash -c 'cp /etc/letsencrypt/live/$DOMAIN/privkey.pem /home/$DOMAIN/ssl.key'
DOMAIN='NAMEHERE.com' sudo -E bash -c 'cp /etc/letsencrypt/live/$DOMAIN/cert.pem /home/$DOMAIN/ssl.cert'
DOMAIN='NAMEHERE.com' sudo -E bash -c 'cp /etc/letsencrypt/live/$DOMAIN/chain.pem /home/$DOMAIN/ssl.ca'
DOMAIN='NAMEHERE.com' sudo -E bash -c 'cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem /home/$DOMAIN/ssl.combined'

Webmin > Servers > Postfix > Certificate Mapping and Webmin > Servers > Dovecot > Edit Config Files (dovecot.conf) are also correctly set.

Everything seems like it should be pretty straight forward (it was working before - this only seems to be an issue after a cert gets updated). Does Dovecot/Postfix ‘cache’ certs? Should anything be done once the certs have been copied to the locations as described above?

[The odd thing is two domains were updated at the same time - the other one works fine, but this one doesn’t! The https sites work fine for both]

Here’s postfix status:

# systemctl status postfix
● postfix.service - Postfix Mail Transport Agent
     Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; preset: disabled)
     Active: active (running) since Sun 2024-10-06 20:14:54 BST; 1min 15s ago
    Process: 4042177 ExecStartPre=/usr/sbin/restorecon -R /var/spool/postfix/pid (code=exited, status=0/SUCCESS)
    Process: 4042178 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)
    Process: 4042180 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
    Process: 4042181 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
   Main PID: 4042249 (master)
      Tasks: 12 (limit: 408518)
     Memory: 21.0M
        CPU: 465ms
     CGroup: /system.slice/postfix.service
             ├─4042249 /usr/libexec/postfix/master -w
             ├─4042250 pickup -l -t unix -u
             ├─4042251 qmgr -l -t unix -u
             ├─4042260 smtpd -n submission -t inet -u -o stress= -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may
             ├─4042261 proxymap -t unix -u
             ├─4042262 tlsmgr -l -t unix -u
             ├─4042263 anvil -l -t unix -u
             ├─4042281 smtpd -n smtp -t inet -u -o stress= -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may
             ├─4042282 smtpd -n smtp -t inet -u -o stress= -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may
             ├─4042535 smtpd -n smtp -t inet -u -o stress= -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may
             ├─4042625 smtpd -n smtp -t inet -u -o stress= -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may
             └─4042770 smtpd -n smtp -t inet -u -o stress= -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may

Oct 06 20:16:01 myserver.com postfix/smtpd[4042282]: warning: unknown[199.135.173.44]: SASL LOGIN authentication failed: authentication failure
Oct 06 20:16:01 myserver.com postfix/smtpd[4042282]: disconnect from unknown[199.135.173.44] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Oct 06 20:16:02 myserver.com postfix/smtpd[4042260]: warning: unknown[194.179.174.41]: SASL LOGIN authentication failed: authentication failure
Oct 06 20:16:02 myserver.com postfix/smtpd[4042260]: disconnect from unknown[194.179.174.41] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Oct 06 20:16:08 myserver.com postfix/smtpd[4042260]: connect from unknown[194.179.174.41]
Oct 06 20:16:08 myserver.com postfix/smtpd[4042535]: connect from unknown[172.17.0.2]
Oct 06 20:16:08 myserver.com postfix/smtpd[4042535]: SSL_accept error from unknown[172.17.0.2]: -1
Oct 06 20:16:08 myserver.com postfix/smtpd[4042535]: warning: TLS library problem: error:0A000415:SSL routines::sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1600:SSL alert number 45:
Oct 06 20:16:08 myserver.com postfix/smtpd[4042535]: lost connection after STARTTLS from unknown[172.17.0.2]
Oct 06 20:16:08 myserver.com postfix/smtpd[4042535]: disconnect from unknown[172.17.0.2] ehlo=1 starttls=0/1 commands=1/2