Self signed certificate in certificate chain issue with e-mail notification setup...

Ensto
Ensto Posts: 20  Freshman Member
First Comment Friend Collector Second Anniversary
edited August 2022 in Security
Hi.

When I try to setup the e-mail client for notifications in USG FLEX 100 the e-mail server test fails due to the ''Self signed certificate in certificate chain''.

I need to use TLS/SSL ''Implicit mode'' (aka no starttls) on port 465 and with server authentication, no exeptions in my company security policy.


My question:

I am connected to WAN with an public dynamic IP-adress. Do I need to create a DDNS and get a CA issued certification for that ddns domain and import this to the ZyWALL in order to get this to work?

Best Answers

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,206  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Answer ✓

    Hi

    Currently, we are not very clear about what situation you encounter. Could you provide more detailed information to us:

    (1). I quoted the information you mentioned:

    “When I try to setup the e-mail client for notifications in USG FLEX 100 the e-mail server test fails due to the ''Self signed certificate in certificate chain.”

    Do you mean you configured Configuration >System > Notification>Mail Server but you couldn’t receive the notification e-mail due to the certificate is self-signed from USG Flex100? If so, could you share the screenshot of the Mail server settings to us? And the screenshot of the test failed ? Is the e-mail server yours or the public email server(such as gmail)? Could you share your network topology which includes email server, USG Flex100, and other hosts(AP, PC, servers) to us? 

    (2). Have you ever tried to enable port 587 with TLS Security and STARTTLS then to see if it is working? As below:


    (3). Why do you expect after USG Flex 100 to import a certificate with DDNS domain name and then could solve your previous problem?


    Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L

  • Ensto
    Ensto Posts: 20  Freshman Member
    First Comment Friend Collector Second Anniversary
    Answer ✓

    Hi

    Currently, we are not very clear about what situation you encounter. Could you provide more detailed information to us:

    (1). I quoted the information you mentioned:

    “When I try to setup the e-mail client for notifications in USG FLEX 100 the e-mail server test fails due to the ''Self signed certificate in certificate chain.”

    Do you mean you configured Configuration >System > Notification>Mail Server but you couldn’t receive the notification e-mail due to the certificate is self-signed from USG Flex100? If so, could you share the screenshot of the Mail server settings to us? And the screenshot of the test failed ? Is the e-mail server yours or the public email server(such as gmail)? Could you share your network topology which includes email server, USG Flex100, and other hosts(AP, PC, servers) to us? 

    (2). Have you ever tried to enable port 587 with TLS Security and STARTTLS then to see if it is working? As below:


    (3). Why do you expect after USG Flex 100 to import a certificate with DDNS domain name and then could solve your previous problem?


    Hi Zyxel_Jeff.

    Thanks for the reply. I did solve the problem and it was due to my low experiance of authentication terms in IT. I simply thought that ''Authenticate Server'' check box for Mail Server Port was the same as SMTP Authentication. So I never ran any test without it...

    Regarding your third question. It was just a thouht that maybe the mail server wanted to validate the email client/sender ip adress somehow and maybe I could do this with a valid domain or DDNS certificate. But as I said, i do not have the proper experiance or education yet in IT to discuss this subject further, especially when it comes to Authentication and certificates  ;)


    Many thanks  =)

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,206  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Answer ✓

    Hi

    Currently, we are not very clear about what situation you encounter. Could you provide more detailed information to us:

    (1). I quoted the information you mentioned:

    “When I try to setup the e-mail client for notifications in USG FLEX 100 the e-mail server test fails due to the ''Self signed certificate in certificate chain.”

    Do you mean you configured Configuration >System > Notification>Mail Server but you couldn’t receive the notification e-mail due to the certificate is self-signed from USG Flex100? If so, could you share the screenshot of the Mail server settings to us? And the screenshot of the test failed ? Is the e-mail server yours or the public email server(such as gmail)? Could you share your network topology which includes email server, USG Flex100, and other hosts(AP, PC, servers) to us? 

    (2). Have you ever tried to enable port 587 with TLS Security and STARTTLS then to see if it is working? As below:


    (3). Why do you expect after USG Flex 100 to import a certificate with DDNS domain name and then could solve your previous problem?


    Don't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L

  • Ensto
    Ensto Posts: 20  Freshman Member
    First Comment Friend Collector Second Anniversary
    Answer ✓

    Hi

    Currently, we are not very clear about what situation you encounter. Could you provide more detailed information to us:

    (1). I quoted the information you mentioned:

    “When I try to setup the e-mail client for notifications in USG FLEX 100 the e-mail server test fails due to the ''Self signed certificate in certificate chain.”

    Do you mean you configured Configuration >System > Notification>Mail Server but you couldn’t receive the notification e-mail due to the certificate is self-signed from USG Flex100? If so, could you share the screenshot of the Mail server settings to us? And the screenshot of the test failed ? Is the e-mail server yours or the public email server(such as gmail)? Could you share your network topology which includes email server, USG Flex100, and other hosts(AP, PC, servers) to us? 

    (2). Have you ever tried to enable port 587 with TLS Security and STARTTLS then to see if it is working? As below:


    (3). Why do you expect after USG Flex 100 to import a certificate with DDNS domain name and then could solve your previous problem?


    Hi Zyxel_Jeff.

    Thanks for the reply. I did solve the problem and it was due to my low experiance of authentication terms in IT. I simply thought that ''Authenticate Server'' check box for Mail Server Port was the same as SMTP Authentication. So I never ran any test without it...

    Regarding your third question. It was just a thouht that maybe the mail server wanted to validate the email client/sender ip adress somehow and maybe I could do this with a valid domain or DDNS certificate. But as I said, i do not have the proper experiance or education yet in IT to discuss this subject further, especially when it comes to Authentication and certificates  ;)


    Many thanks  =)

Security Highlight