Hello
Have a test install of Axigen. I was able to generate and use Let’s Encrypt cert, but email clients will reject the certificate or not even connect. When I run a third party scan against the FQDN of the server I get failure due to untrusted certificate issuer. I ran the scan against ports 81 AND 993
A web browser can connect to webmail without problem. Email can be sent and received this way without issue.
Here is one test result example:
Enter hostname: mail3.bamfieldmsc.ca
Port number:993 *(IMAP)
general information
your certificate
Resolves to
mail3.bamfieldmsc.ca
Expiration date
Mar 21, 2021
Vendor signed
No
SSL is not trusted<<<<<<<<-----
Hostname
Matches
Key length
4096
Server type
NA
Remind me SSL is about to expire
Issued For
Common name
mail3.bamfieldmsc.ca
SAN
mail3.bamfieldmsc.ca
Organization
NA
Organization unit
NA
Country
NA
State
NA
Locality
NA
Address
NA
Issued By
Organization
Let's Encrypt<<<<<<<------
Common name
R3
Organization unit
NA
Country
US
State
NA
Locality
NA
I had the same problem on my Android devices. My answer was to install the intermediate certificate onto the devices so that all of the certificates in the certification path were trusted.
Thanks for the response. Which one would be the intermediate? The Self-signed or the Axigen one?
It would be nicer to have this work properly as installing certs on a hundred devices would be a PITA.
FWIW, several certificate testing sites also warned against deprecated TLS 1.1. so I disabled that on all listeners
cheers
Ken
More info:
I can get Bluemail on Android to connect without issue now, but I had to set to accept all certificates. Can send & receive without issue.
Evolution email client on Linux throws 2 errors shown in images, need to manually accept certificate (untrusted issuer) and then when account configured, cannot access folder
I pulled the Let’s Encrypt certs from https://letsencrypt.org/certificates and once I figured out which one I needed, added to the devices. I can’t remember off the top of my head which one. I know that when I renewed recently that I had to update this as well.
