lets encrypt unknown authority when getting mail from postifix/dovecot via imap or pop

There's a regression after a https://www.virtualmin.com/node/43460 issue fix, browsers are now ok, but mail clients, for example Evolution on linux don't recognize the Let's Encrypt authority now.

Can you make scripts generate a separate certificate with X1 Let's Encrypt authority for postfix/dovecot?

Status: 
Active

Comments

That's crazy! Let's Encrypt has declared that the X3 CA is the official cert now, so it seems like a bug in the mail client if only the X1 cert is recognized.

That's crazy! Let's Encrypt has declared that the X3 CA is the official cert now, so it seems like a bug in the mail client if only the X1 cert is recognized.

Browsers are bundled with trusted CA certs, and mail clients use system CA certs, so there maybe a lag while all systems get updates and some of them, such as old android versions won't them ever.

I'm not sure if this is fixable in a way that satisfies all clients. The best option is for Virtualmin to use the X3 cert, and wait for clients to catch up.

Maybe make a separate legacy certificate file with both X1 and X3 for dovecot?

Right, but wouldn't that cause new mail clients that only accept the X3 CA to break?