New server using old server config, alert unknown ca error

Sat, 28 Dec 2013 08:59:40 -0800 

Hello all,
I'm setting up a new mail server to replace our 9 year old one, and everything works - sending using submission+STARTTLS, receiving, mailman lists, etc - with one exception... 


I use PostfixAdmin, and its vacation.pl script for managing vacation 
messages, and it is the sending of the vacation message that fails with 
the subject error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
alert unknown ca



I basically copied everything over from the old/working server, tweaking 
only for the new hostname, and I've triple checked that the /etc/ssl CA 
dir and certs dirs are there with correct perms, etc.



I also did try temporarily changing the localhost alias and $myhostname 
to the same as the old server, with the same result/error.



The main difference between the two is the new one (with the error) is 
using the dovecot LDA, and the old one (working vacation) is using 
postfix/virtual.



So... since submission (using STARTTLS) is working, why is vacation 
failing with this ssl 'unknown ca' error?


Appreciate any helpful suggestions on where to look next...

Log of failed session on newhost:


2013-12-28T11:04:58-05:00 newhost postfix/587/smtpd[10598]: connect 
from myclient.example.com[192.168.1.110]
2013-12-28T11:04:58-05:00 newhost postfix/587/smtpd[10598]: 
5A76A80170248: client=myclient.example.com[192.168.1.110], 
sasl_method=PLAIN, sasl_username=validu...@example.com
2013-12-28T11:04:58-05:00 newhost postfix/cleanup[10613]: 
5A76A80170248: message-id=<52bef6a0.1050...@example.com>
2013-12-28T11:04:58-05:00 newhost postfix/qmgr[10594]: 5A76A80170248: 
from=<validsen...@example.com>, size=623, nrcpt=2 (queue active)
2013-12-28T11:04:58-05:00 newhost dovecot: 
lda(validrecipi...@example.com): msgid=<52bef6a0.1050...@example.com>: 
saved mail to INBOX
2013-12-28T11:04:58-05:00 newhost postfix/pipe[10614]: 5A76A80170248: 
to=<validu...@example.com>, relay=dovecot, delay=0.05, 
delays=0.02/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot 
service)
2013-12-28T11:04:58-05:00 newhost postfix/587/smtpd[10598]: disconnect 
from myclient.example.com[192.168.1.110]
2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: connect 
from newhost.example.com[127.0.0.1]
2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: SSL_accept 
error from newhost.example.com[127.0.0.1]: 0
2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: warning: 
TLS library problem: 10620:error:14094418:SSL 
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1256:SSL 
alert number 48:
2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: lost 
connection after STARTTLS from newhost.example.com[127.0.0.1]
2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: disconnect 
from newhost.example.com[127.0.0.1]


newhost postconf -nf:


newhost : Sat Dec 28, 10:55:27 : ~
 # postconf -nf
alias_maps = hash:/etc/mail/aliases, hash:/var/lib/mailman/data/aliases
anvil_rate_time_unit = 360s
anvil_status_update_time = 3600s
bounce_queue_lifetime = 18h
bounce_size_limit = 1
broken_sasl_auth_clients = yes
cidr = cidr:${maps_dir}/cidr
config_directory = /etc/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
    $daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 15m
dovecot_destination_recipient_limit = 1
hash = hash:${maps_dir}/hash
home_mailbox = .maildir/
inet_protocols = ipv4
maps_dir = /etc/postfix/maps
maximal_queue_lifetime = 1d
message_size_limit = 30720000
mydomain = example.com
myhostname = smtp2.example.com
mynetworks = 127.0.0.0/8
mysql = proxy:mysql:${maps_dir}/mysql
parent_domain_matches_subdomains =
recipient_delimiter = +
reject_ndn = check_sender_access ${hash}/reject_ndn
relayhost = [relay.example2.com]
sender_bcc_maps = ${hash}/sender_bcc
smtp_fallback_relay =
smtpd_recipient_limit = 100

smtpd_recipient_restrictions = check_recipient_access 
${hash}/moved-employees,

    check_recipient_access ${hash}/x-employees, permit_sasl_authenticated,
    permit_mynetworks, check_sender_access ${hash}/nospoof,
    check_recipient_access ${hash}/blocked_recipients, check_sender_access

    ${hash}/blocked_senders, check_client_access 
${cidr}/allowed_clients.cidr,
    reject_unauth_destination, check_recipient_access 
${hash}/backscatter_victim

smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks,
    check_client_access ${cidr}/allowed_clients.cidr, reject
smtpd_restriction_classes = reject_ndn
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/myCerts/smtp_crt.pem
smtpd_tls_key_file = /etc/ssl/myCerts/smtp_key.pem
smtpd_tls_security_level = may
submission_client_restrictions = check_client_access
    ${hash}/submission_clients_banned, permit_sasl_authenticated, reject
transport_maps = ${hash}/transport
vacation_destination_recipient_limit = 1

virtual_alias_maps = ${mysql}/vam.cf, 
hash:/var/lib/mailman/data/virtual-mailman

virtual_gid_maps = static:207
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = ${mysql}/vmd.cf
virtual_mailbox_maps = ${mysql}/vmm.cf
virtual_minimum_uid = 207
virtual_transport = dovecot
virtual_uid_maps = static:207
newhost : Sat Dec 28, 10:55:37 : ~
 #


Log of successful session on oldhost:


2013-12-28T11:47:41-05:00 oldhost postfix-587/smtpd[15133]: connect 
from myclient.example.com[192.168.1.110]
2013-12-28T11:47:41-05:00 oldhost postfix-587/smtpd[15133]: 
42C2EC77127: client=myclient.example.com[192.168.1.110], 
sasl_method=PLAIN, sasl_username=validu...@example.com
2013-12-28T11:47:41-05:00 oldhost postfix/cleanup[15136]: 42C2EC77127: 
message-id=<52bf00a3.5000...@example.com>
2013-12-28T11:47:41-05:00 oldhost postfix/qmgr[10550]: 42C2EC77127: 
from=<validsen...@example.com>, size=1525, nrcpt=2 (queue active)
2013-12-28T11:47:41-05:00 oldhost postfix-587/smtpd[15133]: disconnect 
from myclient.example.com[192.168.1.110]
2013-12-28T11:47:41-05:00 oldhost postfix/virtual[15138]: 42C2EC77127: 
to=<validrecipi...@example.com>, relay=virtual, delay=0.1, 
delays=0.05/0/0/0.04, dsn=2.0.0, status=sent (delivered to maildir)
2013-12-28T11:47:41-05:00 oldhost postfix-25/smtpd[15014]: connect 
from oldhost.example.com[127.0.0.1]
2013-12-28T11:47:41-05:00 oldhost postfix-25/smtpd[15014]: 
C841FC7712A: client=oldhost.example.com[127.0.0.1]
2013-12-28T11:47:41-05:00 oldhost postfix/cleanup[15136]: C841FC7712A: 
message-id=<20131228_164741_041538.validrecipi...@example.com>
2013-12-28T11:47:41-05:00 oldhost postfix/qmgr[10550]: C841FC7712A: 
from=<validrecipient@example>, size=531, nrcpt=1 (queue active)
2013-12-28T11:47:41-05:00 oldhost postfix-25/smtpd[15014]: disconnect 
from oldhost.example.com[127.0.0.1]
2013-12-28T11:47:41-05:00 oldhost postfix/pipe[15137]: 42C2EC77127: 
to=<validrecipient#example....@autoreply.example.com>, 
orig_to=<validrecipi...@example.com>, relay=vacation, delay=0.68, 
delays=0.05/0/0/0.63, dsn=2.0.0, status=sent (delivered via vacation 
service)
2013-12-28T11:47:41-05:00 oldhost postfix/qmgr[10550]: 42C2EC77127: 
removed
2013-12-28T11:47:42-05:00 oldhost postfix/virtual[15138]: C841FC7712A: 
to=<validsen...@example.com>, relay=virtual, delay=0.24, 
delays=0.12/0/0/0.12, dsn=2.0.0, status=sent (delivered to maildir)
2013-12-28T11:47:42-05:00 oldhost postfix/qmgr[10550]: C841FC7712A: 
removed



and finally old/working host postconf -nf:


oldhost : Sat Dec 28, 10:03:35 : ~
 # postconf -nf
alias_maps = hash:/etc/mail/aliases, hash:/var/lib/mailman/data/aliases
anvil_rate_time_unit = 360s
anvil_status_update_time = 3600s
bounce_queue_lifetime = 18h
bounce_size_limit = 1
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = yes
cidr = cidr:${maps_dir}/cidr
config_directory = /etc/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
    $daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 15m
dovecot_destination_recipient_limit = 1
hash = hash:${maps_dir}/hash
home_mailbox = .maildir/
inet_protocols = ipv4
maps_dir = /etc/postfix/maps
maximal_queue_lifetime = 1d
message_size_limit = 30720000
mydomain = example.com
myhostname = smtp.example.com
mynetworks = 127.0.0.0/8
mysql = proxy:mysql:${maps_dir}/mysql
parent_domain_matches_subdomains =
recipient_delimiter = +
reject_ndn = check_sender_access ${hash}/reject_ndn
relay_domains =
relayhost = [relay.example2.com]
sender_bcc_maps = ${hash}/sender_bcc
smtp_fallback_relay =
smtpd_recipient_limit = 100

smtpd_recipient_restrictions = check_recipient_access 
${hash}/moved-employees,

    check_recipient_access ${hash}/x-employees, permit_sasl_authenticated,
    permit_mynetworks, check_sender_access ${hash}/nospoof,
    check_recipient_access ${hash}/blocked_recipients, check_sender_access

    ${hash}/blocked_senders, check_client_access 
${cidr}/allowed_clients.cidr,
    reject_unauth_destination, check_recipient_access 
${hash}/backscatter_victim

smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks,

    check_client_access ${cidr}/allowed_clients.cidr, 
reject_unauth_destination

smtpd_restriction_classes = reject_ndn
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/myCerts/smtp_crt.pem
smtpd_tls_key_file = /etc/ssl/myCerts/smtp_key.pem
smtpd_tls_security_level = may
submission_client_restrictions = check_client_access
    ${hash}/submission_clients_banned, permit_sasl_authenticated, reject
transport_maps = ${hash}/transport
vacation_destination_recipient_limit = 1

virtual_alias_maps = ${mysql}/vam.cf, 
hash:/var/lib/mailman/data/virtual-mailman

virtual_gid_maps = static:207
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = ${mysql}/vmd.cf
virtual_mailbox_maps = ${mysql}/vmm.cf
virtual_minimum_uid = 207
virtual_uid_maps = static:207
oldhost : Sat Dec 28, 11:28:34 : ~

























					Reply via email to