On Tue, July 10, 2018 13:30, Viktor Dukhovni wrote: > On Tue, Jul 10, 2018 at 12:55:38PM -0400, James B. Byrne wrote: > >> We are migrating our Postfix MX services and in the process have >> disrupted a setup which has been very stable for the past couple of >> years. One of the remaining items is this sort of message which >> only started very recently: > > What is the MX hostname associated with this Postfix instance? What > domains does it serve? That has bearing on the TLSA records seen > by the connecting SMTP client.
mx31.harte-lyne.ca - harte-lyne.ca / .harte-lyne.ca > >> Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: warning: TLS library >> problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert >> bad >> certificate:/usr/src/crypto/openssl/ssl/s3_pkt.c:1493:SSL alert >> number > 42: > > The client rejected the server's certificate chain. The details > are known only to the client. > >> I thought that these errors were the result of a misconfigured >> certificate or private key for the postfix service. However, I have >> examined these and they appear to be correct: > > "Correct" is in the eye of the beholder. Did the certificate chain > match the associated DANE TLSA records? Might samba.org have reason > to expect to authenticate your server via WebPKI? You're using a > private CA... > >> CN=mx31.harte-lyne.ca https://dane-test.had.dnsops.gov/server/dane_check.cgi?host=harte-lyne.ca ere[prts that all declared servers, other than those currently off-line, are error free. > > Its current cert chain seems to match the TLSA records for the above > name, though two of the three TLSA records seem redundant: > > mx31.harte-lyne.ca. IN A 216.185.71.31 ; AD=1 NoError > mx31.harte-lyne.ca. IN AAAA ? ; AD=1 NODATA > _25._tcp.mx31.harte-lyne.ca. IN CNAME > _tlsa._dane.trust.harte-lyne.ca. ; AD=1 NoError > _tlsa._dane.trust.harte-lyne.ca. IN TLSA 2 0 2 > 67274b355428905895c6b581950e0ed4f7d043f31f7e7020b716b7faa06776b6aadd33e127624b6e8c75c520a01d9cad3bd29f18fa7dcb3d5fd3917510e6722a > ; AD=1 NoError > _tlsa._dane.trust.harte-lyne.ca. IN TLSA 2 1 2 > 380259229e21a1946b38cfc594cbc993b61bc93762b7b6c6637b3eef9c5a2bb70c589b91beb73bd1304eac11b3917e33819e2b47d25d4966435a2a3e83c1f80f > ; AD=1 NoError > _tlsa._dane.trust.harte-lyne.ca. IN TLSA 2 1 2 > c26e0ec16a46a97386e8f31f8ecc971f2d73136aa377dfdaac2b2b00f7cab4bb29b17d913c82093b41fd0d9e40b66a68361c126f1f4017f9ce60eabc5adba90e > ; AD=1 NoError > mx31.harte-lyne.ca[216.185.71.31]: pass: TLSA match: depth = 1, > name = mx31.harte-lyne.ca > TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384 > name = mx31.harte-lyne.ca > name = mx31 > name = mx31.hamilton > name = mx31.hamilton.harte-lyne.ca > depth = 0 > Issuer CommonName = CA_HLL_ISSUER_2016 > Issuer Organization = Harte & Lyne Limited > notBefore = 2018-06-01T00:00:00Z > notAfter = 2023-06-30T23:59:59Z > Subject CommonName = mx31.harte-lyne.ca > Subject Organization = Harte & Lyne Limited > pkey sha256 [nomatch] <- 3 1 1 > 3fa3dae08e2fecff0611a75767ee0995a115e308a181ad79a6d163315742b270 > cert sha512 [nomatch] <- 3 0 2 > cc5bd085ba7e1c136539083bf32ad6512b6c0fe5a31a8f2f775b627ab1c6525d7464c751191a4e1747072f5bd63d364713e48a4636ca25e31532ca0657444c7f > pkey sha512 [nomatch] <- 3 1 2 > 39248e9342c4fc8fb67dac3f51e7a2d9e77d7a37df6fac0272006cc7d757e5346c9e11f93f7f8c34cacf95cd0e60d1ab5b3fc2b9881551fa9bc9a6fb6e3300a8 > depth = 1 > Issuer CommonName = CA_HLL_ROOT_2016 > Issuer Organization = Harte & Lyne Limited > notBefore = 2016-11-01T00:00:00Z > notAfter = 2035-11-01T23:59:59Z > Subject CommonName = CA_HLL_ISSUER_2016 > Subject Organization = Harte & Lyne Limited > pkey sha256 [nomatch] <- 2 1 1 > 9c19d0fed453f6c49cd9f569af9b5da75ef6d8baabd26308eee88adb2d06a3b5 > cert sha512 [nomatch] <- 2 0 2 > ab23a715c42f6cf8a2502b725969adedf1f6c6bedbb483fb49badc5470232297b34a3a7716b2dd7eb086bd6e462599db95f9af3415209eadea71450c72af942a > pkey sha512 [matched] <- 2 1 2 > 380259229e21a1946b38cfc594cbc993b61bc93762b7b6c6637b3eef9c5a2bb70c589b91beb73bd1304eac11b3917e33819e2b47d25d4966435a2a3e83c1f80f > depth = 2 > Issuer CommonName = CA_HLL_ROOT_2016 > Issuer Organization = Harte & Lyne Limited > notBefore = 2016-11-01T00:00:00Z > notAfter = 2036-10-31T23:59:59Z > Subject CommonName = CA_HLL_ROOT_2016 > Subject Organization = Harte & Lyne Limited > pkey sha256 [nomatch] <- 2 1 1 > 4bd5dd98b37237136d1a5b2e45ee8ed1c9f2c2569b6dc94f0951da5af6d090c4 > cert sha512 [nomatch] <- 2 0 2 > 4a4ea8374f20e46009b03bd19793598b5f4e0d38aeba39644f6b8659057ca16a4c5bfd7f3779ec83c1d26c732edbc9d41454f9866d25109bcde177eae58a4481 > pkey sha512 [matched] <- 2 1 2 > c26e0ec16a46a97386e8f31f8ecc971f2d73136aa377dfdaac2b2b00f7cab4bb29b17d913c82093b41fd0d9e40b66a68361c126f1f4017f9ce60eabc5adba90e > > [ 4096-bit keys are IMHO overkill. ] > Having recently replaced our entire PKI because of Mozilla determining our root certificate had an inadequate key size (selected back in 2005) I decided overkill is not thorough enough, but perforce suffices. That is also why we have two separate roots and certificate chains, which will continue until the last of the original CA's certificates are replaced or the services shutdown. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
