https://docs.kumomta.com/tutorial/system_preparation/?h=certi#creating-a-self-signed-certificate
and that’s fine (like I’m familiar enough with the concept I might be able to figure it out) but wanted to let you know those instructions I THINK Are incomplete?
You are only halfway there. The csr and key create the cert
…I figured it out.
Looking
the instructions are complete I just missed something
mv -f ca.crt /etc/pki/tls/certs
that’s my cert
so I just need to add /etc/pki/tls/certs to my kumo.start_esmtp_listener
Perfect.
trying now
I need to be AFK for a bit but will answer any new comments as soon as I am back
I appreciate that, sorry it was such a silly oversight
got confused betwen .crt/.pem/certs
well that’s progress
[x.x.x.x:29299->y.y.y.y:25] 131ms -> STARTTLS
[x.x.x.x:29299->y.y.y.y:25] 131ms <- 220 Ready to Start TLS
[x.x.x.x:29299->y.y.y.y:25] 265ms === ERROR: Peer Disconnected```so THAT could be that their server doesn’t like the self-signed certificate
Yeah, that is what I was starting to say above. They are complaining about your cert (or lack thereof)
This usually means that the SSL certificate presented by the server is not trusted by the system for one or more of
the following reasons:
1. The server is using a self-signed certificate which cannot be verified.
2. The local system is missing a Root or Intermediate certificate needed to verify the server's certificate.
3. A Certificate Authority CRL server for one or more of the certificates in the chain is temporarily unavailable.
4. The certificate presented by the server is expired or invalid.
5. The set of SSL/TLS protocols supported by the client and server do not match.
See https://github.com/jstedfast/MailKit/blob/master/FAQ.md#ssl-handshake-exception for possible solutions.
there we go. perfect
so 2 issues (incase anyone else searches and finds this):
- if you’re following the self-signed certificate instructions and the esmtp_listener instructions, realize that the
.pemfile would actually be your/etc/pki/tls/certsfile - some injectors don’t allow self-signed certificates