postfix not delivery mail throught lmtp

We have an URGENT request for assistance.

We run Cyrus (2.2.12) on SLES8 (service pack 3).

Last week we attempted to update our SSL certificate for secure IMAP
(port 993) and secure SMTP. We experienced problems as the Verisign
supplied replacement certificate was "chained" and Cyrus didn't seem to
recognise it, so we successfully reverted to the original certificate.

Over the weekend the old certificate expired. Today we have again
attempted to install a Verisign chained cert and subsequently a
self-signed certificate. With either of these certificates, we note
that it is not possible to connect on IMAPS (993) or POP3S (995) ports
and also that Postfix (on the same machine, using LMTP) cannot deliver
to the Cyrus mail store (our Postfix "active" mail queue is growing).

Out of desperation, we have reverted to the expired certificate and
Cyrus still seems to refuse to accept mail from Postfix, and to refuse
secure connections. Postfix uses the same certificates and it IS
talking secure SMTP.

We cannot see any relevant error messages in the logfiles.

Could you please advise us how to proceed.

trevor_obba@yahoo.co.uk wrote:
> We have an URGENT request for assistance.
>
> We run Cyrus (2.2.12) on SLES8 (service pack 3).
>
> Last week we attempted to update our SSL certificate for secure IMAP
> (port 993) and secure SMTP. We experienced problems as the Verisign
> supplied replacement certificate was "chained" and Cyrus didn't seem to
> recognise it, so we successfully reverted to the original certificate.
>
> Over the weekend the old certificate expired. Today we have again
> attempted to install a Verisign chained cert and subsequently a
> self-signed certificate. With either of these certificates, we note
> that it is not possible to connect on IMAPS (993) or POP3S (995) ports
> and also that Postfix (on the same machine, using LMTP) cannot deliver
> to the Cyrus mail store (our Postfix "active" mail queue is growing).
>
> Out of desperation, we have reverted to the expired certificate and
> Cyrus still seems to refuse to accept mail from Postfix, and to refuse
> secure connections. Postfix uses the same certificates and it IS
> talking secure SMTP.
>
> We cannot see any relevant error messages in the logfiles.
>
> Could you please advise us how to proceed.

here is lmtp test

imtest -t "" cyrus
S: * OK piglet Cyrus IMAP4 v2.2.12 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
STARTTLS
S: C01 OK Completed
C: S01 STARTTLS

Then it hangs

trevor_obba@yahoo.co.uk wrote:
> We have an URGENT request for assistance.
>
> We run Cyrus (2.2.12) on SLES8 (service pack 3).
>
> Last week we attempted to update our SSL certificate for secure IMAP
> (port 993) and secure SMTP. We experienced problems as the Verisign
> supplied replacement certificate was "chained" and Cyrus didn't seem to
> recognise it, so we successfully reverted to the original certificate.
>
> Over the weekend the old certificate expired. Today we have again
> attempted to install a Verisign chained cert and subsequently a
> self-signed certificate. With either of these certificates, we note
> that it is not possible to connect on IMAPS (993) or POP3S (995) ports
> and also that Postfix (on the same machine, using LMTP) cannot deliver
> to the Cyrus mail store (our Postfix "active" mail queue is growing).
>
> Out of desperation, we have reverted to the expired certificate and
> Cyrus still seems to refuse to accept mail from Postfix, and to refuse
> secure connections. Postfix uses the same certificates and it IS
> talking secure SMTP.
>
> We cannot see any relevant error messages in the logfiles.
>
> Could you please advise us how to proceed.
>

This is just a wild guess in the dark, but have you tried appending the
Verisign root certificate to the verisign.pem file, and also the
intermediate (chained) CA's certificate ?

--
Greg

Greg Hackney wrote:

> trevor_obba@yahoo.co.uk wrote:
> > We have an URGENT request for assistance.
> >
> > We run Cyrus (2.2.12) on SLES8 (service pack 3).
> >
> > Last week we attempted to update our SSL certificate for secure IMAP
> > (port 993) and secure SMTP. We experienced problems as the Verisign
> > supplied replacement certificate was "chained" and Cyrus didn't seem to
> > recognise it, so we successfully reverted to the original certificate.
> >
> > Over the weekend the old certificate expired. Today we have again
> > attempted to install a Verisign chained cert and subsequently a
> > self-signed certificate. With either of these certificates, we note
> > that it is not possible to connect on IMAPS (993) or POP3S (995) ports
> > and also that Postfix (on the same machine, using LMTP) cannot deliver
> > to the Cyrus mail store (our Postfix "active" mail queue is growing).
> >
> > Out of desperation, we have reverted to the expired certificate and
> > Cyrus still seems to refuse to accept mail from Postfix, and to refuse
> > secure connections. Postfix uses the same certificates and it IS
> > talking secure SMTP.
> >
> > We cannot see any relevant error messages in the logfiles.
> >
> > Could you please advise us how to proceed.
> >
>
> This is just a wild guess in the dark, but have you tried appending the
> Verisign root certificate to the verisign.pem file, and also the
> i?
>
> --
> Greg

we received a wildcard certificate in from of keystore.pfx and I below
command to convert it to keystore.pem and then append keystore with
intermediate (chained) CA's certificate

openssl pkcs12 -in KEYSTORE.pfx -out KEYSTORE.pem -nodes

cat intermediate >> keystore.pem

but this did not work either can you help please?