On Tue, Jul 10, 2018 at 02:26:05PM -0400, James B. Byrne wrote:
> > What is the MX hostname associated with this Postfix instance? What
> > domains does it serve? That has bearing on the TLSA records seen
> > by the connecting SMTP client.
>
> mx31.harte-lyne.ca - harte-lyne.ca / .harte-lyne.ca
If that's the only hostname resolving to that IP address, then its
DANE TLSA records do appear to be presently correct. Can't speak
about the past if the machine was undergoing maintenance.
> >> Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: warning: TLS library
> >> problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
> >> certificate:/usr/src/crypto/openssl/ssl/s3_pkt.c:1493:SSL alert number
> >> 42:
> >
> > The client rejected the server's certificate chain. The details
> > are known only to the client.
The connecting client did not like one of the certificates in the
chain. Perhaps it expected to find working a WebPKI certificate
from one of the usual suspects ("browser bundle" public root CAs).
You should ask the postmaster of the sending domain? Is the problem
ongoing? Or a transient glitch?
> > [ 4096-bit keys are IMHO overkill. ]
>
> Having recently replaced our entire PKI because of Mozilla determining
> our root certificate had an inadequate key size (selected back in
> 2005) I decided overkill is not thorough enough, but perforce
> suffices. That is also why we have two separate roots and certificate
> chains, which will continue until the last of the original CA's
> certificates are replaced or the services shutdown.
There are interoperability advantages to being in the middle of the
pack, some implementations might have restricted key sizes. The
most popular key size is RSA-2048. There isn't much evidence that
this is the issue, so use this suggestion as you see fit.
--
Viktor.
