On Mon, April 17, 2017 11:30, Viktor Dukhovni wrote:
>
Thank you for bringing this to my attention.
>
> Your host has DANE TLSA records, but lacks a matching certificate.
I am mystified as to what I have done wrong in this respect. The
certificate in question has this value as its common name:
Subject: CN=inet18.mississauga.harte-lyne.ca
The DNS entries match as far as I can see:
;; ANSWER SECTION:
inet18.mississauga.harte-lyne.ca. 102897 IN A 209.47.176.18
;; ANSWER SECTION:
18.176.47.209.in-addr.arpa. 140860
IN PTR inet18.mississauga.harte-lyne.ca.
And yet as you write, the TLSA verification chain fails:
TLSA records found: 3
TLSA: 2 1 2
380259229e21a1946b38cfc594cbc993b61bc93762b7b6c6637b3eef9c5a2bb70c589b91beb73bd1304eac11b3917e33819e2b47d25d4966435a2a3e83c1f80f
TLSA: 2 0 2
67274b355428905895c6b581950e0ed4f7d043f31f7e7020b716b7faa06776b6aadd33e127624b6e8c75c520a01d9cad3bd29f18fa7dcb3d5fd3917510e6722a
TLSA: 2 1 2
c26e0ec16a46a97386e8f31f8ecc971f2d73136aa377dfdaac2b2b00f7cab4bb29b17d913c82093b41fd0d9e40b66a68361c126f1f4017f9ce60eabc5adba90e
Connecting to IPv4 address: 209.47.176.18 port 25
recv: 220 inet18.mississauga.harte-lyne.ca ESMTP Postfix
send: EHLO cheetara.huque.com
recv: 250-inet18.mississauga.harte-lyne.ca
recv: 250-PIPELINING
recv: 250-SIZE 20480000
recv: 250-ETRN
recv: 250-STARTTLS
recv: 250-ENHANCEDSTATUSCODES
recv: 250-8BITMIME
recv: 250-DSN
recv: 250 SMTPUTF8
send: STARTTLS
recv: 220 2.0.0 Ready to start TLS
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Peer Certificate chain:
0 Subject CN: inet18.mississauga.harte-lyne.ca
Issuer CN: CA_HLL_ISSUER_2016
1 Subject CN: CA_HLL_ISSUER_2016
Issuer CN: CA_HLL_ROOT_2016
2 Subject CN: CA_HLL_ROOT_2016
Issuer CN: CA_HLL_ROOT_2016
SAN dNSName: inet18.mississauga.harte-lyne.ca
SAN dNSName: inet18
SAN dNSName: inet18.hamilton
SAN dNSName: inet18.hamilton.harte-lyne.ca
SAN dNSName: inet18.mississagua
SAN dNSName: inet18.mississagua.harte-lyne.ca
Error: peer authentication failed. rc=62 (Hostname mismatch)
[2] Authentication failed for all (1) peers.
What may be an obvious error to other I cannot see myself. What is
wrong with the certificate? Is one no longer permitted to have
SubAlternativeNames?
>
> It looks like you're trying to arrive at working configuration
> without thinking about the key questions:
>
> * What domains do you accept mail for?
These are listed in the relay_domains map.
> * Where is mail delivered?
At our main IMAP service which is not directly accessible to this
particular host. This host is a backup MX and should forward mail to
the primary MX host when that becomes available.
> * What domain should appear in headers and envelopes of
> locally generated mail?
The FQDN of this host is required as any originating mail is internal
mail. This I believe is the default.
> * What notices should be sent to the postmaster (often
> "none" is the right answer, provided logs, queues, ...
> are monitored).
>
>> However, the source of this problem appears to me to be an invalid
>> sender
>
> No, the source is postmaster notices (possibly unwanted) that
> loop back to the local machine, and fail DANE authentication.
>
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
