http://www.postfix.org/postconf.5.html#smtp_tls_security_level ai citit?
On Thu, Dec 5, 2013 at 3:11 PM, Catalin Vasilescu < [email protected]> wrote: > Salut, > > Dupa ce am tot cautat si incercat tot felul de solutii pentru eroarea de > mai jos si am ajuns in acelai punct, m-am gandit sa apelez din nou la > cunostintele unor linux-isti mai priceputi,RLUG. > Am un postfix ce serverste ca mail gateway pentru Exchange (subiect > dezbatut mai demult aici), nu reusesc sa ii fac TLS-ul sa functioneze cu un > self signed certificate. > > /etc/postfix/main.cf: > # TLS parameters > smtpd_tls_CAfile = > /etc/pki/tls/certs/CA-mail.xxxx.ro.crt > smtpd_tls_cert_file = > /etc/pki/tls/certs/mail.xxxx.ro.crt > smtpd_tls_key_file = > /etc/pki/tls/certs/mail.xxxxxx.ro.key > smtpd_use_tls = yes > smtpd_tls_session_cache_database = > btree:${queue_directory}/smtpd_scache > > smtp_tls_CAfile = > /etc/pki/tls/certs/CA-mail.xxxx.ro.crt > smtp_tls_cert_file = > /etc/pki/tls/certs/mail.xxxxx.ro.crt > smtp_tls_key_file = > /etc/pki/tls/certs/mail.xxxx.ro.key > smtp_tls_session_cache_database = > btree:${queue_directory}/smtp_scache > smtp_use_tls = yes > > smtpd_tls_received_header = yes > smtpd_tls_ask_ccert = yes > smtpd_tls_loglevel = 1 > tls_random_source = dev:/dev/urandom > # TLS end > > > > > > openssl s_client -connect mail.xxxx.ro:25 -starttls smtp > CONNECTED(00000003) > depth=0 /C=RO/ST=Bucuresti/L=Bucuresti/O=XXXXXX SA/OU=XXXXXX SA/CN= > mail.xxxxx.ro/[email protected] > verify error:num=18:self signed certificate > verify return:1 > depth=0 /C=RO/ST=Bucuresti/L=Bucuresti/O=XXXXXXXX SA/OU=XXXXXXX SA/CN= > mail.XXXXXX.ro/[email protected] > verify return:1 > --- > Certificate chain > 0 s:/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxxx SA/OU=xxxxxx SA/CN= > mail.xxxxxxxx.ro/[email protected] > i:/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxxxxSA/OU=xxxxxxx SA/CN= > mail.xxxxxxx.ro/[email protected] > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIDzDCCArQCAQEwDQYJKoZIhvcNAQEFBQAwgasxCzAJBgNVBAYTAlJPMRIwEAYD > VQQIEwlCdWN1cmVzdGkxEjAQBgNVBAcTCUJ1Y3VyZXN0aTEUMBIGA1UEChMLR3Jv > dXBhbWEgU0ExFDASBgNVBAsTC0dyb3VwYW1hIFNBMRowGAYDVQQDExFtYWlsMi5n > cm91cGFtYS5ybzEsMCoGCSqGSIb3DQEJARYdY2F0YWxpbi52YXNpbGVzY3VAZ3Jv > dXBhbWEucm8wHhcNMTMxMjA1MDczMjE0WhcNMTQxMjA1MDczMjE0WjCBqzELMAkG > A1UEBhMCUk8xEjAQBgNVBAgTCUJ1Y3VyZXN0aTESMBAGA1UEBxMJQnVjdXJlc3Rp > MRQwEgYDVQQKEwtHcm91cGFtYSBTQTEUMBIGA1UECxMLR3JvdXBhbWEgU0ExGjAY > BgNVBAMTEW1haWwyLmxxxxxxxxxxxxxtestxxxxxxxxxxxxxxkiG9w0BAQUFAAOCAQEA > iNqH+zGcmOmdMRmbvUltcAkxHGGqy6xovCLL+LpDFrGc43xA4dLRPMX0aKYIMUjK8C > HQWTo7+hIjpZayud5JNQ1WWXjZ9Xe0OBNMwE+9dVLm5S1hJNIw3L0G+BbOiJGyli > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxasadfxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > /N215N+fl9VMXrpieblypUpwmq8mk7bSuFayPHXkb4jS2hh/2qFHG70g48TSkCJK > KYYQ5o/S0NvoUJdCgEHO2bN3UoI1NCgupAMq3+xZmGuOarm0qN0Rxtp/tD23+IgS > Nnpq6Ibp/Gq1VNM+Y90zL+TM9Nyfu0SNE+q7fIhN+Y6ip3dmlm92aKDkuiGYcX56 > ZSBR8WkE7uIaysKLdZ74Gg== > -----END CERTIFICATE----- > subject=/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxx SA/OU=xxxxxxxxxxxx SA/CN= > mail.xxxxxx.ro/[email protected] > issuer=/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxxx SA/OU=xxxxx SA/CN= > mail.xxxxx.ro/[email protected] > --- > Acceptable client certificate CA names > /C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxxx xxxxxxxx SA/OU=xxxxxxxxxxxx/CN= > mail.xxxxxxxx.ro/[email protected] > --- > SSL handshake has read 2076 bytes and written 366 bytes > --- > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : DHE-RSA-AES256-SHA > Session-ID: > 5956AC85B99C5858D845A2206D16FC5D797D7EEB5925E0F089EE580B9598C31F > Session-ID-ctx: > Master-Key: > A5B4D9EA48B10874AF18DFC5531A6B3514B3845B40D51AE913A2B0D721493EEEC99DE85494996B133BFA4886E934F386 > Key-Arg : None > Krb5 Principal: None > Start Time: 1386247413 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > --- > 250 DSN > > > > telnet localhost 25 > Trying 127.0.0.1... > Connected to localhost.localdomain (127.0.0.1). > Escape character is '^]'. > 220 mail.xxxxx.ro ESMTP Postfix > EHLO xxxxxxxxx.ro > 250-mail.xxxxx.ro > 250-PIPELINING > 250-SIZE 10240000 > 250-VRFY > 250-ETRN > 250-STARTTLS > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > STARTTLS > 220 2.0.0 Ready to start TLS > > > > > ----------------------------------------------------------- > Catalin Vasilescu > _______________________________________________ > RLUG mailing list > [email protected] > http://lists.lug.ro/mailman/listinfo/rlug > _______________________________________________ RLUG mailing list [email protected] http://lists.lug.ro/mailman/listinfo/rlug
