On Wed, Jan 19, 2022 at 05:07:38PM -0500, Wayne Spivak wrote:
> That was the solution for TLS failing when I start postfix:
>
> perl -lne print file1 file2 file3
And now your server has the intermediate issuer in its chain, and
verification works:
posttls-finger: mcq.sbanetweb.com[96.224.250.24]:25: matched peername:
mcq.sbanetweb.com
posttls-finger: mcq.sbanetweb.com[96.224.250.24]:25:
subject_CN=mcq.sbanetweb.com, issuer_CN=Entrust Certification Authority - L1K,
fingerprint=1E:69:25:44:74:52:B4:C5:AA:C4:9F:7C:E8:F7:0B:96:A7:35:A9:F6:60:1F:D4:07:30:CD:B3:6B:99:69:88:EC,
pkey_fingerprint=89:F7:3F:9B:2F:6F:F1:51:7B:4E:4C:CD:D5:5D:CB:C7:CE:CA:75:C9:CF:D8:73:EB:08:D2:71:1A:48:8E:FC:CD
posttls-finger: Verified TLS connection established to
mcq.sbanetweb.com[96.224.250.24]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
> [root@mcq postfix]# posttls-finger -cC -lsecure '[mcq.sbanetweb.com]'
This does not use any trust-anchor certs, so verification is sure to
fail when the intermediate issuer can't be verified. This is expected
and normal. You'd need to specify a CAfile ("-F CAfile" option), but
that's not necessary, it works.
> posttls-finger: warning: DNSSEC validation may be unavailable
> posttls-finger: warning: reason: dnssec_probe 'ns:.' received a response that
> is not DNSSEC validated
Your resolver is not a validating resolver. This is harmless if you're
not using DANE.
> posttls-finger: certificate verification failed for
> mcq.sbanetweb.com[96.224.250.24]:25: untrusted issuer /C=US/O=Entrust,
> Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for
> authorized use only/CN=Entrust Root Certification Authority - G2
As expected. You're all set.
> I'm also getting an error on submission in the log, Error is no such
> file/directory.
Start a new thread and post all relevant logs and configuration details.
--
Viktor.
