I installed letsencrypt and generated a certificate. Even with this certificate, I got the same error. The error went away when I changed the connection to "TLS" from "TLS (Accept All Certificates)". I wonder if the root problem was that the mail app on my phone won't accept newer certificates unless it can validate them fully? Simon On Sun, Nov 12, 2017 at 2:28 PM, Kyle Hamilton <aerowolf@xxxxxxxxx> wrote: > Use a publicly-trusted certification authority, such as Let's Encrypt. > The problem is from the remote side (it's sending the alert that it > does not recognize your certificate issuer). > > -Kyle H > > On Sun, Nov 12, 2017 at 7:47 AM, Simon Matthews > <simon.d.matthews@xxxxxxxxx> wrote: >> On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijser <janjust@xxxxxxxxx> wrote: >>> Hi, >>> >>> On 12/11/17 05:39, Simon Matthews wrote: >>>> >>>> I have generated a new certificate for my CentOS 6/postfix server, and >>>> it seems to work with most clients, but when I try to send email using >>>> tls from my Android device, it always fails. >>>> >>>> In my postfix log, I see: >>>> >>>> warning: TLS library problem: 13671:error:14094416:SSL >>>> routines:SSL3_READ_BYTES:sslv3 alert certificate >>>> unknown:s3_pkt.c:1275:SSL alert number 46: >>>> >>>> I get the same message when using the same new certificate with >>>> dovecot, so I don't think it is a postfix issue. >>>> >>>> To generate the certificate, I used the following commands: >>>> >>>> openssl genrsa -out MatthewsCA2017.key 2048 >>>> openssl genrsa -des3 -out MatthewsCA2017.key 2048 >>>> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days >>>> 3000 -out MatthewsCA2017.pem >>>> openssl genrsa -out smtp.matthews-family.org.uk.key 2048 >>>> openssl req -new -key smtp.matthews-family.org.uk.key -out >>>> smtp.matthews-family.org.uk.csr >>>> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA >>>> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out >>>> smtp.matthews-family.org.uk.crt -days 3000 -sha256 >>>> >>>> Any ideas on what might be wrong? >>>> >>> >>> you seem to have generated your own (new) CA and server certificate; is this >>> CA (public) cert installed in postfix correctly. More importantly, is this >>> new CA distributed to all devices? >>> An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN >> >> In my Android device, I am using the option "TLS (Accept all >> certificates)" which was working with my prior certificate. I built a >> new CA and certificate because Microsoft/Hotmail would not send email >> to my server because of the use of MD5 in the certificate chain. >> >> In the postfix main.cf, I have: >> smtpd_tls_CAfile = /etc/ssl/MatthewsCA2017.pem >> >> The file exists: >> # ls /etc/ssl/MatthewsCA2017.pem >> /etc/ssl/MatthewsCA2017.pem >> >> This is CentOS 6 VM. >> >> Is there anything else I should do to install the certificates? I >> notice that the dovecot configuration doesn't explicitly define the CA >> certificate location, so perhaps I have missed something? >> >> Simon >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
