Use a publicly-trusted certification authority, such as Let's Encrypt. The problem is from the remote side (it's sending the alert that it does not recognize your certificate issuer). -Kyle H On Sun, Nov 12, 2017 at 7:47 AM, Simon Matthews <simon.d.matthews@xxxxxxxxx> wrote: > On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijser <janjust@xxxxxxxxx> wrote: >> Hi, >> >> On 12/11/17 05:39, Simon Matthews wrote: >>> >>> I have generated a new certificate for my CentOS 6/postfix server, and >>> it seems to work with most clients, but when I try to send email using >>> tls from my Android device, it always fails. >>> >>> In my postfix log, I see: >>> >>> warning: TLS library problem: 13671:error:14094416:SSL >>> routines:SSL3_READ_BYTES:sslv3 alert certificate >>> unknown:s3_pkt.c:1275:SSL alert number 46: >>> >>> I get the same message when using the same new certificate with >>> dovecot, so I don't think it is a postfix issue. >>> >>> To generate the certificate, I used the following commands: >>> >>> openssl genrsa -out MatthewsCA2017.key 2048 >>> openssl genrsa -des3 -out MatthewsCA2017.key 2048 >>> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days >>> 3000 -out MatthewsCA2017.pem >>> openssl genrsa -out smtp.matthews-family.org.uk.key 2048 >>> openssl req -new -key smtp.matthews-family.org.uk.key -out >>> smtp.matthews-family.org.uk.csr >>> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA >>> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out >>> smtp.matthews-family.org.uk.crt -days 3000 -sha256 >>> >>> Any ideas on what might be wrong? >>> >> >> you seem to have generated your own (new) CA and server certificate; is this >> CA (public) cert installed in postfix correctly. More importantly, is this >> new CA distributed to all devices? >> An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN > > In my Android device, I am using the option "TLS (Accept all > certificates)" which was working with my prior certificate. I built a > new CA and certificate because Microsoft/Hotmail would not send email > to my server because of the use of MD5 in the certificate chain. > > In the postfix main.cf, I have: > smtpd_tls_CAfile = /etc/ssl/MatthewsCA2017.pem > > The file exists: > # ls /etc/ssl/MatthewsCA2017.pem > /etc/ssl/MatthewsCA2017.pem > > This is CentOS 6 VM. > > Is there anything else I should do to install the certificates? I > notice that the dovecot configuration doesn't explicitly define the CA > certificate location, so perhaps I have missed something? > > Simon > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
