> The sender should replace their certificate, it is not compliant with
> TLSv1. This too may take time.
>
> I never enabled ask_ccert on port 25, I had used 587 for that (on a
> machine that nevertheless was not an MSA), and clients with special
> access configured via ccerts had to use a transport table or similar
> to send to a non-default port to get that access.
Thank you for the detailed analysis. I will give them a hint. Although
the chance might be small that they will have other partners using old
ssl versions and asking for their ccert, they should know about that.
The interesting part for me is, that smtp (means when we sent mails to
them using tls) had no problems with their sha2 cert.
I will consider switching to submission port for our
ccert-whitelisted/authenticated partners, too. It was the first time we
encounter problems with that setting since several years (I was aware of
the warning note in the docs, but it always worked for us).
>> I understand that the correct solution is an openssl upgrade on
>> our side (due to other security related reasons), but I need a
>> maintenance window for this.
>
> Build OpenSSL 1.0.1e from source without shared libraries, just ".a"
> files (default via OpenSSL's Configure). Then link Postfix against
> that, and deploy. For example with OpenSSL built in /var/tmp/openssl
> (libcrypto.a and libssl.a in that directory, and include files in
> /var/tmp/openssl/include) build as follows (adjusting paths as
> required):
Fortunately I was able to get a change window for one of the nodes last
night. After the prodecure below everything seems to be fine now on this
machine. I'll wait some days and update the other nodes, too. Thanks
again for your assistance!
# self compiled things here
BASE=/opt/vrnetze
# sunstudio compiler
CC=/opt/SUNWspro/bin/cc
CXX=/opt/SUNWspro/bin/cc
# openssl
./Configure \
--prefix=${BASE}/openssl \
--openssldir=${BASE}/openssl \
solaris-sparcv9-cc
make; make install
# postfix
MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
-R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib
-L/usr/local/lib"
MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include
-I/usr/local/include"
make tidy; make makefiles \
CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \
AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre"
make; make upgrade
