Mail app using self-signed cert instead of the installed TLS Certficates

NethServer Version: 8
Module: Mail

Got my migration from 7 finished finally, and mail is coming and going successfully. My issue now is that the mail app doesn’t seem to have a trusted cert. iOS devices show the *.ns8.test certificate as not trusted (self-signed).

I have a TLS certificate installed via the settings app, and it was installed successfully. From the research I did, these certificates don’t work for mail, but only for the traefik app? How can I get a proper self-signed cert on the mail app?

Did some more digging, which containers would the certificates generated via the web interface be in? Why are they not accessible by the mail app/container?

How many different users/containers are there? Loading the mail1 user I can see all the mail containers, but none of the others, and there are no certs visible from this user other than the self-signed ones.

Does it help to reconfigure the mail app in the mail settings by saving the configuration?

Did you request a lets encrypt certificate or upload a certificate?

Were there errors in the logs?

To check the used certificate from a client:

echo | openssl s_client -connect mail.domain.tld:465 -brief

The certificate used by the NS8 mail server is located in /home/mail1/.config/state/tls-certs

The certificates (custom/letsencrypt) are created/uploaded in traefik.

To enter the traefik1 instance:

runagent -m traefik1

Letsencrypt certs are stored in acme/acme.json and uploaded certs in custom-certificates/

Podman supports rootless containers. They’re running as user which is a security improvement.

Show traefik containers:

runagent -m traefik1 podman ps

Show mail containers:

runagent -m mail1 podman ps

Thanks so much for the response. I’ve had some time to dig deeper, I didn’t realize that saving the settings would re-configure the app, but that makes sense. It re-configure properly (I had to change my mail server hostname, but the certificate regenerated properly).

It looks like something is wrong with the TLS certificate. Here are the error logs from the connection to send a message:

2025-05-20T19:28:22-04:00 [1:mail1:postfix/smtpd] warning: error loading private keys and certificates from: /etc/ssl/postfix/fullchain.pem: disabling TLS support
2025-05-20T19:28:22-04:00 [1:mail1:postfix/smtpd] connect from FW16Fedora.FQDN.com[10.0.3.211]
2025-05-20T19:28:22-04:00 [1:mail1:rspamd] (rspamd_proxy) <a57ead>; proxy; proxy_accept_socket: accepted milter connection from 127.0.0.1 port 37828
2025-05-20T19:28:22-04:00 [1:mail1:postfix/smtpd] disconnect from FW16Fedora.FQDN.com[10.0.3.211] ehlo=1 starttls=0/1 commands=1/2
2025-05-20T19:28:22-04:00 [1:mail1:dovecot] lmtp(76): Disconnect from local: Logged out (state=READY)
2025-05-20T19:28:22-04:00 [1:mail1:postfix/qmgr] 637A91F800CE9: removed

Thoughts on this one?

It seems the certificate chain isn’t correct.

Are all needed files there?

[root@ns8rockytest ~]# runagent -m mail1 ls tls-certs
dh.pem	fullchain.pem  server.key  server.pem

To check the used certificate and fullchain:

runagent -m mail1 openssl verify -untrusted tls-certs/fullchain.pem tls-certs/server.pem

Maybe related:

I have those same files, as well as privkey.pem

CN=host-16573.ns8.test
error 18 at 0 depth lookup: self-signed certificate
error tls-certs/server.pem: verification failed

The fullchain.pem cert in the mail app only has one —Begin Certificate— —End Certificate— entry, which would indicate that it only has the self-signed cert, correct?

What would be the cause for the chain to be incorrect? How do the certs get from the traefik container to the mail container? Since the cert was generated by the mail app, I would have assumed it would be correct, and updated to the LE certificate.

I think it’s because of the certificate that was requested in the NS8 TLS settings. These certificates are for the node(s) itself. The apps use another certificate.
Please delete the certificate that you requested in the NS8 TLS settings and reconfigure the Mail app. The certificate should be installed after a minute.

I tried that earlier, thinking I had found the problem. I deleted all the certificates in the settings app, and then re-configured the mail app. The new mail certificate then showed up in the settings app; so I assumed that is the correct behaviour?

Just confirmed again that I can delete the cert, re-configure the mail app, and the cert re-appears in the settings app, which is the behaviour I would expect…

I’m still seeing strange results. From outside my network, I get:

Connecting to (my external IP)
CONNECTED(00000003)
C0F2703DC57F0000:error:0A00010B:SSL routines:tls_validate_record_header:wrong version number:ssl/record/methods/tlsany_meth.c:80:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 336 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

From inside my network, I get the self-signed cert.

Please check once more the log files, maybe there’s another letsencrypt/cert error?

With the update from traefik v2 to v3 just the uploaded and requested certs from the TLS settings page are shown. The app certs are not shown to avoid misconfigurations, see NethServer project milestone 8.4 - #10 by davidep

Did you install the latest updates in Software Center?

Let’s check if the mail domain is in the default certificate:

runagent -m traefik1 cat configs/_default_cert.yml

Is DNS working correctly for the used mail domain? Are the ports correctly forwarded?

This is symptom of a bad format in the certificate or chain file. Sometimes it is just a missing line separator at the end of the file.

Ensure they’ve a trailing newline with a text editor, then try to upload the cert and chain file again.