On Mon, Oct 21, 2013 at 02:55:22PM +0200, Tobias Reckhard wrote: > Oct 21 08:43:58 <hostname> postfix/smtp[5991]: CA certificate > verification failed for mx10.unicredit.eu[62.122.80.93]:25: > num=7:certificate signature failure
This organization uses SHA256 signatures for their certificates, even though these are not widely supported. The most recent patch levels of Postfix 2.7, 2.8, 2.9 and 2.10 have support for SHA256 turned for SSL/TLS. You need to upgrade to one of these, may as well be 2.10.2, but one of the others will suffice, see http://www.postfix.org/download.html $ posttls-finger -t30 -T 180 -cC -Lsummary "[62.122.80.93]:25" | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -print_certs -text Certificate: Data: Version: 3 (0x2) Serial Number: 2b:b0:95:be:00:00:00:03:59:e0 Signature Algorithm: sha256WithRSAEncryption Issuer: DC=EU, DC=UNICREDITGROUP, DC=root, CN=UniCredit Subordinate Internal Validity Not Before: Aug 5 14:42:54 2013 GMT Not After : Aug 5 14:42:54 2015 GMT Subject: C=IT, ST=Italy, L=n.a., O=UniCredit Business Integrated Solutions S.C.p.A., OU=US91922, CN=mucimgcc.internal.unicreditgroup.eu/emailAddress=edgesec.u...@unicredit.eu [...] -----BEGIN CERTIFICATE----- MIIGyjCCBbKgAwIBAgIKK7CVvgAAAANZ4DANBgkqhkiG9w0BAQsFADBzMRIwEAYK CZImiZPyLGQBGRYCRVUxHjAcBgoJkiaJk/IsZAEZFg5VTklDUkVESVRHUk9VUDEU MBIGCgmSJomT8ixkARkWBHJvb3QxJzAlBgNVBAMTHlVuaUNyZWRpdCBTdWJvcmRp bmF0ZSBJbnRlcm5hbDAeFw0xMzA4MDUxNDQyNTRaFw0xNTA4MDUxNDQyNTRaMIHR MQswCQYDVQQGEwJJVDEOMAwGA1UECBMFSXRhbHkxDTALBgNVBAcTBG4uYS4xOTA3 BgNVBAoTMFVuaUNyZWRpdCBCdXNpbmVzcyBJbnRlZ3JhdGVkIFNvbHV0aW9ucyBT LkMucC5BLjEQMA4GA1UECxMHVVM5MTkyMjEsMCoGA1UEAxMjbXVjaW1nY2MuaW50 ZXJuYWwudW5pY3JlZGl0Z3JvdXAuZXUxKDAmBgkqhkiG9w0BCQEWGWVkZ2VzZWMu dWJpc0B1bmljcmVkaXQuZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDBZwU+EoauB9eLXCl/f7fBt9g9T7XdfA1EksavXEmZ5BiJ+VK+mcL9+DsMLuZQ aZjUASoVQzDpjWBUq9/ha+YGzhIEsjGZ773q3Mg8A61IkNidXzDC1vS4YvyEGF+f ZCH7bZyTFaqGf+PTHv+O1jmPwphwOMc5JdBg3Ua2tYRDN9e1cGcYHPrlGLwZV46f huJ3ZwzhkA1tUJQOaf3xSotDkNc7k0yWJVwtl7Jx/cqtrRcG+a42JFxyfOEJiERW eqDgbHGzWljUlQu1Bk4au0qR5u1tknvkzifFDTpUAYMjB3T9mkL8xCtjjkFzy6Vm RbVjqz2I3gTH5vwA7HLtPhrVAgMBAAGjggL/MIIC+zAdBgNVHQ4EFgQUGqOYmnyp HIMUth1Y61c/Oh6Fd3AwHwYDVR0jBBgwFoAUpmMomLWl6ZWmfZDUIMi5ujlJoZsw ggEcBgNVHR8EggETMIIBDzCCAQugggEHoIIBA4aB2mxkYXA6Ly8vQ049VW5pQ3Jl ZGl0JTIwU3Vib3JkaW5hdGUlMjBJbnRlcm5hbCxDTj1VU1BLSVBXMDAxLENOPUNE UCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25m aWd1cmF0aW9uLERDPXJvb3QsREM9VU5JQ1JFRElUR1JPVVAsREM9RVU/Y2VydGlm aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1 dGlvblBvaW50hiRodHRwOi8vY2EudW5pY3JlZGl0LmV1L0lOVC9pbnRjYS5jcmww ggEWBggrBgEFBQcBAQSCAQgwggEEMIHPBggrBgEFBQcwAoaBwmxkYXA6Ly8vQ049 VW5pQ3JlZGl0JTIwU3Vib3JkaW5hdGUlMjBJbnRlcm5hbCxDTj1BSUEsQ049UHVi bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv bixEQz1yb290LERDPVVOSUNSRURJVEdST1VQLERDPUVVP2NBQ2VydGlmaWNhdGU/ YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MDAGCCsGAQUF BzAChiRodHRwOi8vY2EudW5pY3JlZGl0LmV1L0lOVC9pbnRjYS5jcnQwDgYDVR0P AQH/BAQDAgWgMD0GCSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCMO2J4Gj+HWG+Z8g he2jNYaR6GmBKobx7y+FkeVgAgFkAgEKMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsG CSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBACzY yZMq+UwAp+jTwLxUEwKl+QjUO9PDkZSj+GByLtw+6wplX/6CCCPTApKXgBzlz59J C+xJ9/YBQkzaKoyliZMG9DDLnjRztan/kfPTdLVlg0JfB6AOctpDt/whepxABIBi rYt94M6lGIeJ6Xb/0mmTwOclYid8aSb7NffmOy3nmrUFLKOkkjgx+8V8w4G8RbM/ 5ueIJbv3cwobuVgdRWYgkifXPTMK1nPU7dia9/TTL2wiIu2iPjkg9NeMF08vXE1V EMjV49T0ocjacRMJnC7kBtqwwNgXlL1sDktk+MUaC/QKXbmQJmoadwdUZApcEhTR 5OA3+kzG7dFfJoSYkwI= -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 61:7a:be:af:00:00:00:00:00:03 Signature Algorithm: sha256WithRSAEncryption Issuer: C=IT, O=UniCredit S.p.A., CN=UniCredit Root Validity Not Before: May 20 09:47:25 2011 GMT Not After : May 20 09:57:25 2021 GMT Subject: DC=EU, DC=UNICREDITGROUP, DC=root, CN=UniCredit Subordinate Internal [...] -----BEGIN CERTIFICATE----- MIIGLDCCBRSgAwIBAgIKYXq+rwAAAAAAAzANBgkqhkiG9w0BAQsFADBBMQswCQYD VQQGEwJJVDEZMBcGA1UEChMQVW5pQ3JlZGl0IFMucC5BLjEXMBUGA1UEAxMOVW5p Q3JlZGl0IFJvb3QwHhcNMTEwNTIwMDk0NzI1WhcNMjEwNTIwMDk1NzI1WjBzMRIw EAYKCZImiZPyLGQBGRYCRVUxHjAcBgoJkiaJk/IsZAEZFg5VTklDUkVESVRHUk9V UDEUMBIGCgmSJomT8ixkARkWBHJvb3QxJzAlBgNVBAMTHlVuaUNyZWRpdCBTdWJv cmRpbmF0ZSBJbnRlcm5hbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AOhI2tUNvsJ7Go2HG2Vqrws36lz6yLVOnKkcRhalc+wuiAbJGG1JV98yMP+0I6xQ 6mER0jaRk7soVyRtERNrSc4leCfVu2fjLqpUofAhFC3kZeDOhW3FSDlPRTmG/pRD XF7GnZq7NknS+d/jPCSneY1ZMwmEdTH+kt4CmArrHkj8cLZAfFt+dlVIHIf/dDez 85v5HBIISeP+LIZSkVOziS3rSO8BxipkBsex+VrM4V9t0a/DBW0DigTMIrmNyW6M 0WLfoSushDB25xe+nhyCXcp2iZbRR0p475HSS3U4hkfMMEZwqPHwOb6r7P3+dZ2d hwC/7xDzCbGKEjmDVkddTM0CAwEAAaOCAvIwggLuMBAGCSsGAQQBgjcVAQQDAgEA MB0GA1UdDgQWBBSmYyiYtaXplaZ9kNQgyLm6OUmhmzBMBgNVHSAERTBDMEEGDCsG AQQBgqEYAQEBATAxMC8GCCsGAQUFBwIBFiNodHRwOi8vY2EudW5pY3JlZGl0LmV1 L0NQUy9jcHMuaHRtbDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8E BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBQ7MIjj6hkIJ65q2OmZ q23FXdHKVTCCAQoGA1UdHwSCAQEwgf4wgfuggfiggfWGgctsZGFwOi8vL0NOPVVu aUNyZWRpdCUyMFJvb3QsQ049VU5JQ1JFRElUUk9PVCxDTj1DRFAsQ049UHVibGlj JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE Qz1yb290LERDPVVOSUNSRURJVEdST1VQLERDPUVVP2NlcnRpZmljYXRlUmV2b2Nh dGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIYl aHR0cDovL2NhLnVuaWNyZWRpdC5ldS9DUkwvcm9vdGNhLmNybDCCAQMGCCsGAQUF BwEBBIH2MIHzMIG9BggrBgEFBQcwAoaBsGxkYXA6Ly8vQ049VW5pQ3JlZGl0JTIw Um9vdCxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj ZXMsQ049Q29uZmlndXJhdGlvbixEQz1yb290LERDPVVOSUNSRURJVEdST1VQLERD PUVVP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9u QXV0aG9yaXR5MDEGCCsGAQUFBzAChiVodHRwOi8vY2EudW5pY3JlZGl0LmV1L0NS VC9yb290Y2EuY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQChQ/peK5XDvfyi7z5dcroV PY+3/yMgB8Tzx8zny53JLxdXGYxNBlVrymCxpA+RJdjO18lBoOPS+vIB9Cu16BHy YaTcCLdEQw3Mo0ha53+jgulKC86d1gZFQosPP3xCVLgFUuZ+f6wWorU7lraE0dt1 MEHMj3ZrEXX01V5V/DPvKq9li5SqWwzy2ozG25eGlqgWjf834NQz6AF+VWJSJvND ZbqgKVSIJrhwQ64Yh1Q1t53sNEYsgYj1aztP9KaSzE7fyusYcRJUdO/EBIpG8dkj 6I0VMtAYI/Qv71250Z5id+NRQA/Px8itXoqhM4W4NVn6xqlF7P/5XJ7OCqf4/GfN -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 16:de:d6:f6:72:44:10:ae:4c:91:a4:ad:a9:3a:ba:2b Signature Algorithm: sha256WithRSAEncryption Issuer: C=IT, O=UniCredit S.p.A., CN=UniCredit Root Validity Not Before: Mar 10 03:33:45 2011 GMT Not After : Mar 10 03:39:56 2031 GMT Subject: C=IT, O=UniCredit S.p.A., CN=UniCredit Root [...] -----BEGIN CERTIFICATE----- MIIDrTCCApWgAwIBAgIQFt7W9nJEEK5MkaStqTq6KzANBgkqhkiG9w0BAQsFADBB MQswCQYDVQQGEwJJVDEZMBcGA1UEChMQVW5pQ3JlZGl0IFMucC5BLjEXMBUGA1UE AxMOVW5pQ3JlZGl0IFJvb3QwHhcNMTEwMzEwMDMzMzQ1WhcNMzEwMzEwMDMzOTU2 WjBBMQswCQYDVQQGEwJJVDEZMBcGA1UEChMQVW5pQ3JlZGl0IFMucC5BLjEXMBUG A1UEAxMOVW5pQ3JlZGl0IFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDSC37xO2xR2ksdBuLIdilH9BOsjKAIAiChPTe7oduwLdEGc+T34p4UXq1E QhZW7HdlnQWyoI/P1YHK5t7IRTCudaozFy/sTL/wMfKPjLKHgeN4BF6RG0EOn6aO rbmcTxyuNkXrhCgDwtBD6aNpduTc7fzlUrlQUQifuxAQMP1MytFd9zKAn9NZOOoq jV6TOQCjdoyLtwIiMiNqr1LKpWeUEJ97QZurOuUS6fENJufmTf8ZHY/9NY/q++NH ou5jqxH4WcQ9qBRVv520/pClp5P1teIhXXomzJEID57SWjAhkTH3LXn+XsGADGs3 l3bdAPVUhLwcj4XCyk1CE1Nd96K1AgMBAAGjgaAwgZ0wCwYDVR0PBAQDAgGGMA8G A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFDswiOPqGQgnrmrY6ZmrbcVd0cpVMBAG CSsGAQQBgjcVAQQDAgEAMEwGA1UdIARFMEMwQQYMKwYBBAGCoRgBAQEBMDEwLwYI KwYBBQUHAgEWI2h0dHA6Ly9jYS51bmljcmVkaXQuZXUvQ1BTL2Nwcy5odG1sMA0G CSqGSIb3DQEBCwUAA4IBAQBtHCNFetqoC/XhxAXj67kNWzcaqFW3vEbhRFQG2TZ1 3yNA3Kg+uVol1DV8mr1/evFL5cuS7xy530Q55TFptTPCjRBxE/fOd+ZX3uqhDMSu pjJFpyoqzSHf7xTm9I9tkL9AKNIjQWTvS1mIuHImUN41tN8DsWVz+7rD02f6oNBK Oqr07JlE7hQnzbDr1iUoB2IvQBWf29NAIFlaJO/pYOqHgvnOu4Ig8dd0OgtpM/9o SJGSwRPpk1x80vzGdiif1hRJb9d6bh/WDU1Wga0xtyi59r3VW1+/H6/oTh/ySq3d c3F82+t73T/j1nLjUpQL6NZEwB2BjoaE4dI4BU6l2+9X -----END CERTIFICATE----- -- Viktor.
