So, when you have multiple chain certificates, which occured now with alphassl certificates.
Apache wants certificates in following order:
your cert → iterm 1 → interm 2 → root cert
but Postfix wants them:
root cert → interm 2 → interm 1 → your cert.
Currently if you paste multiple certs in SSL CA on the CA Certificate tab, and use it for
other services, everything will work, but Postfix will not work properly
until you reverse order of certificates as explained above.
You can test your chain with sslyze for example
ssluze your-server:port (can be 443), first validate your chain with some tool like:
then run sslyze example.com:443 and then run it on 465 to identify broken chain,
and after re-arranging intermediate chains and restarting postfix try again it will work
and email clients like gmail will be able to use server again.
it’s just about SSL and the way how Postfix wants SSL packed when there is more than 1 intermediate…
As explained above, it only worked when sorted in opposite way than softing them for Apache…
The thing is I had to use Alpha SSL which is issued with newest root, so I had to use 3 intermediate certificates insted of 1.
So for any kind of testing purposes it needs more than 1 intermediate, and needs testing on all 3 servers which use them: Apache, Dovecot and Postfix (keep in mind what I had to do to make Postfix work).