Namecheap currently offers one of the most affordable ways to get a (not self-signed) SSL cert to use with your web-/mailserver – the only drawback being, that it isn’t signed by a CA Root, but through some subsidiaries, which means you’ll also have to install a supplied CA bundle on the server or else you’ll get a bunch of SSL errors.
With dovecot as POP/IMAP server, that’s actually quite easy – just put all the certs in single file, starting with your servers cert and followed by the three certs supplied by Namecheap/Comodo.
This should work fine with most mail clients, like Thunderbird or Evolution. The cert also worked with Apache for HTTPS. But for some reason, it didn’t work with my Android mail app.
Turns out, Android can be quite picky about the order of the cert chain…
#~$ echo|openssl s_client -connect yourserver.tld:993 CONNECTED(00000003) depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=yourserver.tld i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 3 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
If the certs are in any other order, Android threw an error. So your cert file should contain (again: in that order):
- Your Cert as supplied by Namecheap/Comodo/…
- PositiveSSLCA.crt
- UTNAddTrustServerCA.crt
- AddTrustExternalCARoot.crt