On Fri, Jun 14, 2013 at 12:24:39PM +0200, Jan P. Kessler wrote:
> currently we are experiencing problems with an incoming SMTP/TLS
> connection. Remote side is an Ironport device, we are using postfix
> 2.8.13 on solaris 10.
Please show "postconf -n".
> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
> mail.info] certificate verification failed for
> mail.dgverlag.de[145.253.80.6]: untrusted issuer
> /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
Why do you check client certificates?
> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
> mail.info] Untrusted TLS connection established from
> mail.dgverlag.de[145.253.80.6]: TLSv1 with cipher RC4-SHA (128/128 bits)
Why do you use RC4? This suite usually have a pretty low preference.
> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 947731
> mail.warning] warning: TLS library problem: 5847:error:0D0C50A1:asn1
> encoding routines:ASN1_item_verify:unknown message digest
> algorithm:a_verify.c:146:
And now openssl gets something it does not like at all.
> Please let me know if you need any further information. Below the log
> output with debug_peer_list:
The documentation tells you to show configs and no verbose lo.
Bastian
--
I'm frequently appalled by the low regard you Earthmen have for life.
-- Spock, "The Galileo Seven", stardate 2822.3
