Postfix SNI maps use incomplete certificate chain (cert.pem instead of fullchain.pem)

[tromm]

Description

When Virtualmin configures Postfix SNI maps for a domain with SSL enabled, it uses only the leaf certificate (ssl_cert, typically cert.pem) instead of the complete certificate chain (fullchain.pem). This causes mail clients to receive incomplete certificate chains, leading to certificate validation failures.

Impact

Mail clients (iOS Mail, Thunderbird, etc.) fail to validate the certificate because intermediate CAs are missing:

• Clients cannot build the full chain to the root CA
• Results in "certificate has expired" or "certificate is untrusted" errors
• Affects SMTP-TLS and IMAP/POP3-TLS connections
• Poor user experience for end-users
• Security scanning services (e.g., Hardenized.com) report certificate chain errors

Root Cause

In /usr/share/webmin/virtual-server/feature-ssl.pl (line ~2887), the SNI map entry is built incorrectly. The code uses $d->{'ssl_cert'} which points to cert.pem (leaf certificate only) instead of the complete chain.

Current (wrong):
key + cert.pem

Expected (correct):
key + cert.pem + intermediate.pem

Or simply use fullchain.pem which includes all of these.

Steps to Reproduce

1. Create a domain with SSL enabled and Let's Encrypt certificate
2. Enable Postfix SNI support in Virtualmin
3. Check /etc/postfix/sni_map - it will show domain.com pointing to cert.pem
4. Send mail with mail client (eg iOS)
5. Certificate validation fails because intermediates are missing

Evidence - Local Configuration

Current output (incorrect):
example.com /home/user/ssl_certificates/privkey.pem,/home/user/ssl_certificates/cert.pem

Should be:
example.com /home/user/ssl_certificates/privkey.pem,/home/user/ssl_certificates/fullchain.pem

Evidence - External Validation

Security scanning services report the incomplete certificate chain:

• Hardenized.com reports: "Certificate chain incomplete - missing intermediate certificates"
• SSL Labs / Qualys shows: "Chain incomplete" errors
• testssl.sh reports: "Certificate chain order incorrect or incomplete"

Postfix SNI Map Requirement

According to Postfix documentation, the SNI map value should contain the complete chain:

• Private key
• Leaf certificate
• Intermediate certificates (critical!)

Using only the leaf certificate violates this specification.

Suggested Fix

Replace in /usr/share/webmin/virtual-server/feature-ssl.pl around line 2887:

Old:

my @certs = ( $d->{'ssl_key'}, $d->{'ssl_cert'} );
push(@certs, $d->{'ssl_chain'}) if ($d->{'ssl_chain'});

New:

 my @certs = ( $d->{'ssl_key'}, $d->{'ssl_fullchain'} || $d->{'ssl_cert'} );
 push(@certs, $d->{'ssl_chain'}) if ($d->{'ssl_chain'});

Or use fullchain.pem path directly instead of cert.pem.

Environment

• Virtualmin: 7.50.2.pro-1
• Webmin: 2.610
• Postfix: 3.4.13-0ubuntu1.4
• Certbot: 3.0.1

[jcameron]

That's odd, because this line in the SNI map should already contain the CA cert from the line :

 push(@certs, $d->{'ssl_chain'}) if ($d->{'ssl_chain'});

But does it contain only the key and cert files on your system?

Virtualmin does also maintain a combined domain and CA cert file for each domain, but in this case that shouldn't be needed because we already add both to the map entry.

[ctyler69]

Seeing a related but different failure mode on Virtualmin 8.1.0 Pro / Webmin 2.621 / Postfix 3.6.4 (Ubuntu 22.04). The comma-separated key,cert,chain format in sni_map produces malformed BASE64 value errors in Postfix logs for every domain using that format. Mail is still delivered but the errors are constant log noise.
The entries using a single combined file (key + ssl.combined) do not produce these errors. Using ssl_fullchain as a single file path in the suggested fix would resolve this as well.

[jcameron]

Can you post one of these base64 errors you're seeing in the Postfix logs?

[ctyler69]

Here are the Postfix log warnings and the corresponding sni_map entries that generate them:
Log errors (truncated by syslog line length limit):

warning: table hash:/etc/postfix/sni_map.db: key .anonomize_domain.com: malformed BASE64 value: /etc/ssl/virtualmin/1758472207...
warning: tls_server_sni_maps: mail.anonomize_domain.com map lookup problem

Actual sni_map entries written by Virtualmin:

anonomize_domain.com  /etc/ssl/virtualmin/1758472207919346/ssl.key,/etc/ssl/virtualmin/1758472207919346/ssl.cert,/etc/ssl/virtualmin/1758472207919346/ssl.ca
.anonomize_domain.com /etc/ssl/virtualmin/1758472207919346/ssl.key,/etc/ssl/virtualmin/1758472207919346/ssl.cert,/etc/ssl/virtualmin/1758472207919346/ssl.ca

Postfix 3.6.4 appears to be interpreting the comma-separated file paths as a BASE64-encoded value and failing. The ssl.combined file exists for all affected domains — entries using key,ssl.combined (two files) do not produce these errors.

[jcameron]

Odd, it seems like this can happen if the SNI map isn't generated with the -F flag to postmap, but Virtualmin should always be using that flag already.

If you run postmap -F /etc/postfix/sni_map and then restart Postfix, does the problem go away?