Revert redirection of tls certificate path

t0mz

t0mz

Member
Proxmox Subscriber
Jan 20, 2022
40
6
13
24
I need to update my tls certs, uploaded the new data via the UI and I can see it is stored in /etc/pmg/pmg-tls.pem
But when I run openssl to test, I still get the old cert.

After browsing around I noticed the following entries in /etc/pmg/templates/main.cf
Code: 
smtpd_tls_cert_file = /etc/ssl/certs/wildcard.crt
smtpd_tls_key_file =  /etc/ssl/private/wildcard.key
smtp_tls_CAfile = /etc/ssl/certs/wildcard-cacerts.cer

So someone before me has been redirecting the cert location. Now, what do I need to do to revert back to the original setup?
I tried to comment out those 3 lines, hoping that a "default" is used, but after that change I no certs are returned by openssl

Code: 
openssl s_client -connect mail.mydomain.com:25 -starttls smtp -no_ssl3
CONNECTED(00000003)
4027F9C4B67F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent

So I guess I need to point to /etc/pmg/pmg-tls.pem in main.cf but there's only one file?
Or in other words, what is the original entry which will replace those 3?

Edit: where ever it says main.cf read this as
Code: 
main.cf
for some reason the editor here keeps on removing the ".in"
 
Last edited:
t0mz said:
After browsing around I noticed the following entries in /etc/pmg/templates/main.cf.in
Click to expand...
The system changed the template for postfix main.cf

t0mz said:
Or in other words, what is the original entry which will replace those 3?
Click to expand...
The original template shipped in the package is in /var/lib/pmg/templates (so you can check that how it was without modifications)
see:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

t0mz said:
So I guess I need to point to /etc/pmg/pmg-tls.pem in main.cf but there's only one file?
Click to expand...
Yes this is possible and common (you add the same file as key and as cert file) see section 4.6.7 at
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#sysadmin_certificate_management
 
Thanks Stoiko.
Got it working!

I am a little uncertain if I need the CA/Intermediate certificates to be added or not.
Right now, all that's in the pem is private key and certificate. Given that things are working I guess mail servers aren't checking the chain?
 
For SMTP the state in my experience is that there is usually no checking for a certificate to be signed by a trusted root CA.
(if you don't trust the certificate the mails are sent unencrypted over the internet in most configurations)

you can check if your system trusts the certificate with openssl:
`openssl s_client -connect <your.pmg.ip.addr>:25 -starttls smtp`
 
  • Like
Reactions: t0mz
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back