Let's Encrypt X1/X3 Intermediate Certificate mismatch
Idea shared by Dave Camenisch - January 10 at 3:51 PM
Proposed
Problem & Solution!
Maybe this information is also of interest for other Smartermail administrators:
My config:
- Windows 2008 R2 Server / IIS 7
- SmarterMail 16
- Lets Encrypt Certificate installed with CertifyTheWeb
 
After installing the Lets Encrypt certificates, I noticed that several test pages (digicert, checktls, etc.) detected an error. The tools reported that the SSL chain is not working properly. More detailed research showed that there is a problem between the Root (X3) and the Intermediate Certificate (X1). This seems to be a known problem with IIS servers and Lets Encrypt certificates.
Interestingly, there were no problems with port 443 (webmail), but always when it came to ports served by Smartermail (25,143,587,993 etc).

After a loooong search and reading a lot of threads, I found the ultimate (and very easy) solution! Read it yourself in this forum (Post by Knagis in April 2016):
https://community.letsencrypt.org/t/iis-8-5-building-incorrect-chain-with-lets-encrypt-authority-x3/13320/84
 
After this little intervention I had no more SSL chain problems! :-)
 
-- Dave

5 Replies

Reply to Thread
0
Matt Petty Replied
Employee Post
Awesome find, I know a couple of us have been kicking around the idea of implementing more Let's Encrypt functionality within SmarterMail. It's awesome that you were able to find a problem relating to it and report its fix right here for everyone else. 
Thanks!
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matt Petty Replied
Employee Post
We had an issue a couple months ago with Let's Encrypt's verification not working while SmarterMail was running do to one of our filter's being too aggressive. We fixed that and while doing that it got us thinking about what more we can do.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
4
There's an old thread on this where I suggested baking Let's Encrypt right into SmarterMail, just like ClamAV, SpamAssassin, etc.  This would make it easier for admins to get it working without all the technical issues.
 
See more discussion and vote here: https://portal.smartertools.com/community/a88373/ssl-sni.aspx
0
SNI would be great, but further to this ST would need to investigate SSL implementation on various mail related protocols, ie offering ssl and tls for pop / smtp / imap using letsencrypt.

If you're only looking to secure one domain, then purchase a wildcard ssl and setup your mail server correctly.

If you're serious about encryption then invest money into a cert, even if its cheap comodo / rapidssl wildcard cert.
0
Thank you! The issue for me was that Thunderbird complained. Apple Mail worked just fine.
 
But now, Thunderbird also complains no more ;-)

Reply to Thread