Hi, I recently upgraded my systems to have full openssl-1.1.1c support. After upgrading my mail-server, I realized that I had problems with trusting server certificates. I checked that the server still uses /etc/ssl/certs/ca-certificates.crt, but for some reason Postfix can not work with this file anymore. Even running update-ca-certificates (which added 141 CAs) did not solve the problem.
By changing *_CAfile parameters to *_CApath, everything started working again. Is there something special woth TLSv1.3 (OpenSSL-1.1.1c) that I forgot to do after upgrade? Here are some relevant logs I found while troubleshooting: -------------------------------------------------------- Aug 12 20:32:45 mx postfix/relay/smtp[24007]: setting up TLS connection to mx.roessner-net.de[134.255.226.247]:25 Aug 12 20:32:45 mx postfix/relay/smtp[24007]: mx.roessner-net.de[134.255.226.247]:25: TLS cipher list "aNULL:-aNULL:HIGH:@STR ENGTH:!aNULL" Aug 12 20:32:45 mx postfix/relay/smtp[24007]: looking for session smtp&roessner-net.com&mx.roessner-net.de&134.255.226.247&&D 83C77C56AE6BC60C2C9E9B52C4E501B2D34BA7166F7510D567CEFBE7D30B548 in smtp cache Aug 12 20:32:45 mx postfix/relay/tlsmgr[23993]: lookup smtp session id=smtp&roessner-net.com&mx.roessner-net.de&134.255.226.2 47&&D83C77C56AE6BC60C2C9E9B52C4E501B2D34BA7166F7510D567CEFBE7D30B548 Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:before SSL initialization Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write client hello Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write client hello Aug 12 20:32:45 mx postfix/relay/smtp[24004]: 466k0K1GwXzNkFw: to=<*****@ra-roessner-merle.de>, relay=mx.roessner-net.de[1 34.255.226.247]:25, delay=11792, delays=11792/0.16/0.26/0, dsn=4.7.5, status=deferred (Server certificate not trusted) Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS read server hello Aug 12 20:32:45 mx postfix/smtpd[24008]: disconnect from relay.roessner-net.de[134.255.226.249]:46037 ehlo=1 starttls=1 quit= 1 commands=3 Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:TLSv1.3 read encrypted extensions Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS read server certificate request Aug 12 20:32:45 mx postfix/relay/smtp[24005]: mx.roessner-net.de[134.255.226.247]:25: depth=0 verify=0 subject=/CN=mx.roessne r-net.de Aug 12 20:32:45 mx postfix/relay/smtp[24005]: mx.roessner-net.de[134.255.226.247]:25: depth=0 verify=1 subject=/CN=mx.roessne r-net.de Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS read server certificate Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:TLSv1.3 read server certificate verify Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS read finished Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS write change cipher spec Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS write client certificate Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS read server certificate request Aug 12 20:32:45 mx postfix/relay/smtp[24007]: mx.roessner-net.de[134.255.226.247]:25: depth=0 verify=0 subject=/CN=mx.roessne r-net.de Aug 12 20:32:45 mx postfix/relay/smtp[24007]: mx.roessner-net.de[134.255.226.247]:25: depth=0 verify=1 subject=/CN=mx.roessner-net.de Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS read server certificate Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS write certificate verify Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:TLSv1.3 read server certificate verify Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS write finished Aug 12 20:32:45 mx postfix/relay/smtp[24005]: certificate verification failed for mx.roessner-net.de[134.255.226.247]:25: self-signed certificate Aug 12 20:32:45 mx postfix/relay/smtp[24005]: mx.roessner-net.de[134.255.226.247]:25: subject_CN=mx.roessner-net.de, issuer_CN=mx.roessner-net.de, fingerprint=1C:93:B4:39:D9:0A:3C:18:FA:84:90:55:73:77:42:2E, pkey_fingerprint=7C:C6:C5:59:7A:07:A4:E9:14:02:75:92:58:C3:DE:8E Aug 12 20:32:45 mx postfix/relay/smtp[24005]: Untrusted TLS connection established to mx.roessner-net.de[134.255.226.247]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256 Aug 12 20:32:45 mx postfix/smtpd[24006]: Trusted TLS connection established from relay.roessner-net.de[134.255.226.249]:47803: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256 Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS read finished Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write change cipher spec Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write client certificate Aug 12 20:32:45 mx postfix/relay/smtp[24005]: 466kX4238lzNkFS: to=<postmas...@roessner-net.com>, relay=mx.roessner-net.de[134.255.226.247]:25, delay=1082, delays=1081/0.19/0.28/0, dsn=4.7.5, status=deferred (Server certificate not trusted) Aug 12 20:32:45 mx postfix/smtpd[24006]: disconnect from relay.roessner-net.de[134.255.226.249]:47803 ehlo=1 starttls=1 quit=1 commands=3 Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write certificate verify Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write finished Aug 12 20:32:45 mx postfix/relay/smtp[24007]: certificate verification failed for mx.roessner-net.de[134.255.226.247]:25: self-signed certificate Aug 12 20:32:45 mx postfix/relay/smtp[24007]: mx.roessner-net.de[134.255.226.247]:25: subject_CN=mx.roessner-net.de, issuer_CN=mx.roessner-net.de, fingerprint=1C:93:B4:39:D9:0A:3C:18:FA:84:90:55:73:77:42:2E, pkey_fingerprint=7C:C6:C5:59:7A:07:A4:E9:14:02:75:92:58:C3:DE:8E Aug 12 20:32:45 mx postfix/relay/smtp[24007]: Untrusted TLS connection established to mx.roessner-net.de[134.255.226.247]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256 Aug 12 20:32:45 mx postfix/smtpd[24012]: Trusted TLS connection established from relay.roessner-net.de[134.255.226.249]:60779: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256 Aug 12 20:32:45 mx postfix/relay/smtp[24007]: 466krX5vPFzNkFb: to=<*****@roessner-net.com>, relay=mx.roessner-net.de[134.255.226.247]:25, delay=225, delays=225/0.22/0.27/0, dsn=4.7.5, status=deferred (Server certificate not trusted) Aug 12 20:32:45 mx postfix/smtpd[24012]: disconnect from relay.roessner-net.de[134.255.226.249]:60779 ehlo=1 starttls=1 quit=1 commands=3 -------------------------------------------------------- Here are the relevant tls options for relay.roessner-net.de: -------------------------------------------------------- smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix, ${default_database_type}:${config_directory}/maps/smtp_tls_policy_maps smtp_tls_security_level = dane # smtp_tls_connection_reuse = yes smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes # smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_CApath = /etc/ssl/certs smtp_tls_cert_file = /etc/ssl/${myhostname}/cert/fullchain.pem smtp_tls_key_file = /etc/ssl/${myhostname}/key/privkey.pem smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_dns_support_level = dnssec smtp_tls_mandatory_ciphers = high smtp_tls_ciphers = high smtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1.1 -------------------------------------------------------- Need to use CApath in sending direction. Here are the relevant tls options for mx.roessner-net.de: -------------------------------------------------------- # TLS receiving smtpd_tls_security_level = may smtpd_tls_ask_ccert = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_cert_file = /etc/ssl/${myhostname}/cert/fullchain.pem smtpd_tls_key_file = /etc/ssl/${myhostname}/key/privkey.pem smtpd_tls_dh1024_param_file = ${config_directory}/ssl/dh_2048.pem smtpd_tls_dh512_param_file = ${config_directory}/ssl/dh_512.pem smtpd_tls_mandatory_ciphers = high smtpd_tls_ciphers = high smtpd_tls_fingerprint_digest = sha256 smtpd_tls_protocols = !SSLv2 !SSLv3 !TLSv1.1 # tls_preempt_cipherlist = yes tls_ssl_options = NO_COMPRESSION -------------------------------------------------------- I use Let's encrypt certificates. Postfix version is: postconf -d mail_version mail_version = 3.4.6 Thanks for any ideas and help in advance Christian -- Rößner-Network-Solutions Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5