I have setup Postfix with a purchased SSL certificate. Everything works on the mail server except that the clients perceive the SSL certificate as "invalid - identifies the wrong site".
Here are the certificate details:
The server serves multiple domains, let's call them example1.com, example2.com.
On the cert, the primary subject name is one of the primary domain names (example1.com) with the host names of the mail servers added as SAN (subject alternate names): mail.example1.com, mail.example2.com.
So when I try to send mail from any of the two domains example1.com or example2.com (using Thunderbird mail client), then Thunderbird says "certificate invalid - identifies the wrong site", and it shows me that the certificate identifies "example1.com".
At this point I am not sure what is actually wrong - is it Thunderbird not supporting SANs (nothing turns up when I Google for that), or is something else wrong on the server?
The certificate is obviously being found and presented to the Thunderbird client, so my config should not be all wrong in the Postfix server. In any case, the relevant bits of the config of Postfix are:
smtpd_tls_cert_file = /etc/ssl/certs/example1.crt
smtpd_tls_key_file = /etc/ssl/private/example1.key
smtpd_tls_CAfile = /etc/ssl/certs/example1_bundle-g2-g1.crt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
tls_random_source = dev:/dev/urandom
I might add that the same certificate is used for the webmail client on the mail server (i.e. browsing to https://mail.example1.com or https://mail.example2.com), and it shows the site as secure and verified for both mail.example1.com and mail.example2.com. So the certificate is entirely valid - but why would it not work for TLS in Thunderbird? Is it possible that a certificate is restricted for "only-web" use? Never heard of that.
EDIT
Here is a copy of the main ingredients of the certificate, if that helps:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
17:79:08:cc:15:a2:74:be
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
Validity
Not Before: Apr 12 09:48:03 2018 GMT
Not After : Apr 12 09:48:03 2019 GMT
Subject: OU=Domain Control Validated, CN=example1.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.godaddy.com/gdig2s1-822.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114413.1.7.23.1
CPS: http://certificates.godaddy.com/repository/
Policy: 2.23.140.1.2.1
Authority Information Access:
OCSP - URI:http://ocsp.godaddy.com/
CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt
X509v3 Authority Key Identifier:
keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
X509v3 Subject Alternative Name:
DNS:example1.com, DNS:www.example1.com, DNS:mail.example1.com, DNS:example3.com, DNS:mail.example2.com, DNS:mail.example4.com
X509v3 Subject Key Identifier:
72:4D:E6:DD:16:86:CC:EA:9F:DD:73:4E:2C:02:BD:5A:6D:74:7B:CC
1.3.6.1.4.1.11129.2.4.2:
...
Signature Algorithm: sha256WithRSAEncryption
...
0 Answers