>> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553 >> mail.info] certificate verification failed for >> mail.dgverlag.de[145.253.80.6]: untrusted issuer >> /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root > Why do you check client certificates?
Because we authenticate/whitelist some other systems by their client certificate. >> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553 >> mail.info] Untrusted TLS connection established from >> mail.dgverlag.de[145.253.80.6]: TLSv1 with cipher RC4-SHA (128/128 bits) > Why do you use RC4? This suite usually have a pretty low preference. It is the remote side, that tries RC4. If we establish a connection to their ironport, the following is used: Jun 14 11:48:17 rv-smtpext-101 postfix-OUT/smtp[25604]: [ID 197553 mail.info] Untrusted TLS connection established to mail1.dgverlag.de[145.253.80.6]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) >> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 947731 >> mail.warning] warning: TLS library problem: 5847:error:0D0C50A1:asn1 >> encoding routines:ASN1_item_verify:unknown message digest >> algorithm:a_verify.c:146: > And now openssl gets something it does not like at all. > >> Please let me know if you need any further information. Below the log >> output with debug_peer_list: > The documentation tells you to show configs and no verbose lo. Bastian, I really don't want to argue here. It is absolutely clear, that (as you and others also have noticed) openssl "does not like sth at all" here. And I doubt that "postconf -n" will help with this, but for the sake of clarity you'll find the information below. What I really wanted to know is, what exactly "openssl does not like at all" (means what kind of message digest is failing here and how we might circumvent/exclude the problem). postconf -n | sed 's/mydomain/EXAMPLE.COM/g' address_verify_map = btree:$data_directory/VERIFY_ADDRESS address_verify_negative_cache = yes address_verify_negative_expire_time = 3d address_verify_negative_refresh_time = 3h address_verify_poll_count = 3 address_verify_poll_delay = 6 address_verify_positive_expire_time = 31d address_verify_positive_refresh_time = 7d address_verify_sender = postmas...@example.com address_verify_transport_maps = btree:/etc/postfix/verify_transport alias_database = hash:/etc/postfix/aliases alias_maps = $alias_database alternate_config_directories = /etc/postfix/OUT, /etc/postfix/TLSONLY body_checks = pcre:/etc/postfix/body_checks body_checks_size_limit = 512000 bounce_queue_lifetime = 3d bounce_template_file = /etc/postfix/bounce.cf command_directory = /opt/vrnetze/postfix/sbin config_directory = /etc/postfix daemon_directory = /opt/vrnetze/postfix/libexec data_directory = /var/spool/postfix/DATA debug_peer_level = 2 default_privs = nobody delay_warning_time = 12h disable_vrfy_command = yes fast_flush_domains = $relay_domains header_checks = pcre:/etc/postfix/header_checks html_directory = no inet_interfaces = all luser_relay = g_vrnetze_cna...@example.com mail_name = Mailservice mail_owner = postfix mailbox_size_limit = 56000001 mailq_path = /usr/bin/mailq manpage_directory = /opt/vrnetze/postfix/man maximal_queue_lifetime = 3d message_size_limit = 56000000 mime_header_checks = pcre:/etc/postfix/mime_header_checks mydestination = $myhostname, localhost.$mydomain mydomain = EXAMPLE.COM myhostname = mail.EXAMPLE.COM mynetworks = /etc/postfix/relay_from_networks myorigin = $myhostname newaliases_path = /usr/bin/newaliases plaintext_reject_code = 554 proxy_interfaces = 91.235.236.6, 91.235.236.7, 91.235.236.8, 91.235.236.9 queue_directory = /var/spool/postfix readme_directory = /opt/vrnetze/postfix/doc receive_override_options = no_address_mappings relay_domains = $config_directory/relay_to_domains remote_header_rewrite_domain = domain.invalid sample_directory = /etc/postfix sender_canonical_maps = btree:/etc/postfix/sender_canonical sendmail_path = /usr/lib/sendmail setgid_group = postdrop smtp_enforce_tls = no smtp_tls_CAfile = /etc/postfix/CERTS/CAcert.pem smtp_tls_cert_file = /etc/postfix/CERTS/cert.pem smtp_tls_key_file = /etc/postfix/CERTS/key.pem smtp_tls_loglevel = 1 smtp_tls_policy_maps = btree:/etc/postfix/TLS_EMPFAENGER smtp_tls_scert_verifydepth = 8 smtp_tls_session_cache_database = btree:$data_directory/smtp_scache smtp_tls_session_cache_timeout = 3600s smtp_use_tls = yes smtpd_banner = $myhostname ESMTP Mailservice smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce smtpd_end_of_data_restrictions = check_recipient_access btree:/etc/postfix/GROESSENBESCHRAENKUNG smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_policy_service_max_idle = 700s smtpd_policy_service_max_ttl = 1800s smtpd_policy_service_timeout = 600s smtpd_proxy_timeout = 600s smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_mynetworks, reject_unauth_destination, check_client_access pcre:/etc/postfix/TLS_VERSENDER_CLIENTS, check_sender_access btree:/etc/postfix/TLS_VERSENDER, check_ccert_access btree:/etc/postfix/tls_ccerts, check_client_access cidr:/etc/postfix/CLIENT_WHITELIST, check_sender_access btree:/etc/postfix/ABSENDER_WHITELIST, check_client_access pcre:/etc/postfix/CLIENT_BLACKLIST, check_recipient_access pcre:/etc/postfix/EMPFAENGER_BLACKLIST, check_helo_access pcre:/etc/postfix/HELOCHECK, check_sender_access btree:/etc/postfix/INTERNE_DOMAINS, check_sender_access pcre:/etc/postfix/ABSENDER_BLACKLIST, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_mx_access cidr:/etc/postfix/PRIVATE_NETZE, reject_rbl_client zen.spamhaus.org, check_recipient_access btree:/etc/postfix/POLICYCHECK, check_recipient_access btree:/etc/postfix/VERIFY_EMPFAENGER, permit smtpd_restriction_classes = hapolicycheck, hagroessencheck, hagreylistcheck, pfwpolicycheck, greylistcheck, absenderverifizierung, empfaengerverifizierung, groessencheck smtpd_tls_CAfile = /etc/postfix/CERTS/CAcert.pem smtpd_tls_ask_ccert = yes smtpd_tls_ccert_verifydepth = 8 smtpd_tls_cert_file = /etc/postfix/CERTS/cert.pem smtpd_tls_ciphers = medium smtpd_tls_exclude_ciphers = EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA smtpd_tls_key_file = /etc/postfix/CERTS/key.pem smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_exclude_ciphers = EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtpd_tls_protocols = SSLv3, TLSv1 smtpd_tls_received_header = yes smtpd_tls_req_ccert = no smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no transport_maps = btree:/etc/postfix/fehlerdomains, btree:/etc/postfix/transport unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 unverified_recipient_reject_reason = User unknown -- Empfaenger nicht gefunden
