This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

mails rejected "server certificate not trusted" (dnssec behind utm)

Hope someone with some expertise can jump in:

I have a personal mail server behind an UTM 9 Home (Firmware 9.413-4) and just enabled E-Mail Protection on the UTM (Bridge Mode - works fine). While Email filtering etc. is working extremely good (Spam is blocked, SMTP Logs looks fine etc.), some certificate chain seems to be broken. some third party mail servers do not deliver incoming AND outgoing mails with the error on BOTH sides:

Server certificate not trusted / Diagnostic-Code: X-Postfix; Server certificate not trusted

The mail server handles all the certificates and even DNSSEC is implemented. The setup of the mail server itself is fine and it worked before deployed of the UTM. Having said that, the mail server tests do actually show (after deployment) an error (e.g. on https://de.ssl-tools.net/mailservers/; "unknown authority" as self signed cert is on UTM). It seems to check now the UTM internal TLS cert, and not anymore the original one directly on the mails server. While this makes in some way sense (as UTM is acting as a "MiM") i need to get rid of this problem, as a whole bunch of mails do not get delivered or received. My settings in E-Mail Protection -> SMTP are:

- Simple Mode

- Routing Tab: Domain: mydomain.xy / Route by: Static Host / Host List: (internal) IP of mail server / Recipient Verification: With callout

- Relaying Tab: Upstream Hosts/Networks: (internal) IP of mail server / Allowed Hosts/Networks: (internal) / Scan relayed (outgoing) messages: checked

- Advanced Tab: Use transparent mode: checked / TLS Settings: Local Cert (selected) / Advanced Settings: SMTP Hostname: mydomain.xy BATV: unset etc. / Smarthost Settings: (no smarthost)

Is it maybe possible to use E-Mail Protection without using a certificate on UTM? Means: Can i deploy UTM Mail Protection without relying on UTM certs?

Anyone can jump in here? Thx!



This thread was automatically locked due to age.
Parents
  • hi,

     

    you will need a commercial certificate or the utm as it is functioning as an MTA. (server authenticates against utm not your mailserver) mailcheap has cheap certs or use one of the free ones and your issue should be resolved) or disable tls (i guess in your case you do not wish to do that).

     

    as for dnssec is does not seem to be your issue as your issue is server certificate not trusted / Diagnostic-Code: X-Postfix; Server certificate not trusted (in the maillogs) 

     

    However like balfson mentioned to be correct your mx should just point to the UTM (its a mta in your mailserver chain now) (ie internet MTA UTM > MTA mailserver)

Reply
  • hi,

     

    you will need a commercial certificate or the utm as it is functioning as an MTA. (server authenticates against utm not your mailserver) mailcheap has cheap certs or use one of the free ones and your issue should be resolved) or disable tls (i guess in your case you do not wish to do that).

     

    as for dnssec is does not seem to be your issue as your issue is server certificate not trusted / Diagnostic-Code: X-Postfix; Server certificate not trusted (in the maillogs) 

     

    However like balfson mentioned to be correct your mx should just point to the UTM (its a mta in your mailserver chain now) (ie internet MTA UTM > MTA mailserver)

Children
No Data