Your message dated Wed, 10 Jun 2020 11:43:50 +0200
with message-id <20200610094350.GA409505@chou>
and subject line Re: Bug#712170: bugs.debian.org: tls fails when reportbug
sends in email to bugs.deb.o
has caused the Debian Bug report #712170,
regarding bugs.debian.org: tls fails when reportbug sends in email to bugs.deb.o
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
712170: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712170
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bugs.debian.org
Severity: normal
The mx used for the incoming bug reports is buxtehude.debian.org.
The box’s exim uses a cert issued by:
C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,
CN=Debian SMTP CA,[email protected]
but that issuer is not included in deb’s ca-certificates.
As a result, tls fails:
Script started on Thu Jun 13 14:52:49 2013
:; gnutls-cli --starttls --port 25 buxtehude.debian.org
Processed 157 CA certificate(s).
Resolving 'buxtehude.debian.org'...
Connecting to '140.211.166.26:25'...
- Simple Client Mode:
220 buxtehude.debian.org ESMTP Exim 4.80 Thu, 13 Jun 2013 18:52:54 +0000
ehlo ore.jhcloos.com
250-buxtehude.debian.org Hello ore.jhcloos.com [198.147.23.85]
250-SIZE 104857600
250-8BITMIME
250-STARTTLS
250 HELP
starttls
220 TLS go ahead
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP
CA,CN=buxtehude.debian.org,[email protected]', issuer
`C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,CN=Debian SMTP
CA,[email protected]', RSA key 2048 bits, signed using
RSA-SHA1, activated `2013-06-13 00:00:04 UTC', expires `2014-06-13 00:00:04
UTC', SHA-1 fingerprint `90c11b7aa58263809f7a8e199075ad3211f58ee5'
Public Key Id:
06e531f2c8c08dcc04880b93675aaac1f67dbca9
Public key's random art:
+--[ RSA 2048]----+
|.o.*oo. + |
|* + =o.* o |
|oO + o |
|=o . |
|o.. . . S |
|. . . + |
| . o |
| o |
| E. |
+-----------------+
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
:; exit
Script done on Thu Jun 13 14:53:03 2013
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
This is not a bug.
If you want to verify the cert, you can use DANE.
$ dig +short _25._tcp.buxtehude.debian.org tlsa
3 1 1 3C46429971867E2D0CD09BE624B34BB452719E9B61767F4B6D626794 D10DC7D3
There might be an argument to be made for using a publicly trusted CA
for these certs, but I don't think there's a requirement or expectation
that anyone do this for smtp.
Cheers,
Julien
On Thu, Jun 13, 2013 at 02:55:05PM -0400, [email protected] wrote:
> Package: bugs.debian.org
> Severity: normal
>
> The mx used for the incoming bug reports is buxtehude.debian.org.
>
> The box’s exim uses a cert issued by:
>
> C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,
> CN=Debian SMTP CA,[email protected]
>
> but that issuer is not included in deb’s ca-certificates.
>
> As a result, tls fails:
>
> Script started on Thu Jun 13 14:52:49 2013
> :; gnutls-cli --starttls --port 25 buxtehude.debian.org
> Processed 157 CA certificate(s).
> Resolving 'buxtehude.debian.org'...
> Connecting to '140.211.166.26:25'...
>
> - Simple Client Mode:
>
> 220 buxtehude.debian.org ESMTP Exim 4.80 Thu, 13 Jun 2013 18:52:54 +0000
> ehlo ore.jhcloos.com
> 250-buxtehude.debian.org Hello ore.jhcloos.com [198.147.23.85]
> 250-SIZE 104857600
> 250-8BITMIME
> 250-STARTTLS
> 250 HELP
> starttls
> 220 TLS go ahead
> *** Starting TLS handshake
> - Certificate type: X.509
> - Got a certificate list of 1 certificates.
> - Certificate[0] info:
> - subject `C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP
> CA,CN=buxtehude.debian.org,[email protected]', issuer
> `C=NA,ST=NA,L=Ankh Morpork,O=Debian SMTP,OU=Debian SMTP CA,CN=Debian SMTP
> CA,[email protected]', RSA key 2048 bits, signed using
> RSA-SHA1, activated `2013-06-13 00:00:04 UTC', expires `2014-06-13 00:00:04
> UTC', SHA-1 fingerprint `90c11b7aa58263809f7a8e199075ad3211f58ee5'
> Public Key Id:
> 06e531f2c8c08dcc04880b93675aaac1f67dbca9
> Public key's random art:
> +--[ RSA 2048]----+
> |.o.*oo. + |
> |* + =o.* o |
> |oO + o |
> |=o . |
> |o.. . . S |
> |. . . + |
> | . o |
> | o |
> | E. |
> +-----------------+
>
> - Status: The certificate is NOT trusted. The certificate issuer is unknown.
> *** Verifying server certificate failed...
> *** Fatal error: Error in the certificate.
> *** Handshake has failed
> :; exit
>
> Script done on Thu Jun 13 14:53:03 2013
>
>
> -- System Information:
> Debian Release: jessie/sid
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
--- End Message ---