Da, am citit. nu am gasit rezolvarea, ajung mereu in acelasi loc. am regenerat si certificatele de vreo 3 ori crezand ca problema e de acolo.
----------------------------------------------------------- Catalin Vasilescu ________________________________ From: Petru Ratiu <[email protected]> To: Catalin Vasilescu <[email protected]>; Romanian Linux Users Group <[email protected]> Sent: Thursday, December 5, 2013 3:20 PM Subject: Re: [rlug] verify error:num=18:self signed certificate TLS Postfix http://www.postfix.org/postconf.5.html#smtp_tls_security_level ai citit? On Thu, Dec 5, 2013 at 3:11 PM, Catalin Vasilescu <[email protected]> wrote: Salut, > >Dupa ce am tot cautat si incercat tot felul de solutii pentru eroarea de mai >jos si am ajuns in acelai punct, m-am gandit sa apelez din nou la cunostintele >unor linux-isti mai priceputi,RLUG. >Am un postfix ce serverste ca mail gateway pentru Exchange (subiect dezbatut >mai demult aici), nu reusesc sa ii fac TLS-ul sa functioneze cu un self signed >certificate. > >/etc/postfix/main.cf: ># TLS parameters >smtpd_tls_CAfile = >/etc/pki/tls/certs/CA-mail.xxxx.ro.crt >smtpd_tls_cert_file = /etc/pki/tls/certs/mail.xxxx.ro.crt >smtpd_tls_key_file = /etc/pki/tls/certs/mail.xxxxxx.ro.key >smtpd_use_tls = yes >smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache > >smtp_tls_CAfile = >/etc/pki/tls/certs/CA-mail.xxxx.ro.crt >smtp_tls_cert_file = /etc/pki/tls/certs/mail.xxxxx.ro.crt >smtp_tls_key_file = /etc/pki/tls/certs/mail.xxxx.ro.key >smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache >smtp_use_tls = yes > >smtpd_tls_received_header = yes >smtpd_tls_ask_ccert = yes >smtpd_tls_loglevel = 1 >tls_random_source = dev:/dev/urandom ># TLS end > > > > > >openssl s_client -connect mail.xxxx.ro:25 -starttls smtp >CONNECTED(00000003) >depth=0 /C=RO/ST=Bucuresti/L=Bucuresti/O=XXXXXX SA/OU=XXXXXX >SA/CN=mail.xxxxx.ro/[email protected] >verify error:num=18:self signed certificate >verify return:1 >depth=0 /C=RO/ST=Bucuresti/L=Bucuresti/O=XXXXXXXX SA/OU=XXXXXXX >SA/CN=mail.XXXXXX.ro/[email protected] >verify return:1 >--- >Certificate chain > 0 s:/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxxx SA/OU=xxxxxx >SA/CN=mail.xxxxxxxx.ro/[email protected] > i:/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxxxxSA/OU=xxxxxxx >SA/CN=mail.xxxxxxx.ro/[email protected] >--- >Server certificate >-----BEGIN CERTIFICATE----- >MIIDzDCCArQCAQEwDQYJKoZIhvcNAQEFBQAwgasxCzAJBgNVBAYTAlJPMRIwEAYD >VQQIEwlCdWN1cmVzdGkxEjAQBgNVBAcTCUJ1Y3VyZXN0aTEUMBIGA1UEChMLR3Jv >dXBhbWEgU0ExFDASBgNVBAsTC0dyb3VwYW1hIFNBMRowGAYDVQQDExFtYWlsMi5n >cm91cGFtYS5ybzEsMCoGCSqGSIb3DQEJARYdY2F0YWxpbi52YXNpbGVzY3VAZ3Jv >dXBhbWEucm8wHhcNMTMxMjA1MDczMjE0WhcNMTQxMjA1MDczMjE0WjCBqzELMAkG >A1UEBhMCUk8xEjAQBgNVBAgTCUJ1Y3VyZXN0aTESMBAGA1UEBxMJQnVjdXJlc3Rp >MRQwEgYDVQQKEwtHcm91cGFtYSBTQTEUMBIGA1UECxMLR3JvdXBhbWEgU0ExGjAY >BgNVBAMTEW1haWwyLmxxxxxxxxxxxxxtestxxxxxxxxxxxxxxkiG9w0BAQUFAAOCAQEA >iNqH+zGcmOmdMRmbvUltcAkxHGGqy6xovCLL+LpDFrGc43xA4dLRPMX0aKYIMUjK8C >HQWTo7+hIjpZayud5JNQ1WWXjZ9Xe0OBNMwE+9dVLm5S1hJNIw3L0G+BbOiJGyli >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxasadfxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >/N215N+fl9VMXrpieblypUpwmq8mk7bSuFayPHXkb4jS2hh/2qFHG70g48TSkCJK >KYYQ5o/S0NvoUJdCgEHO2bN3UoI1NCgupAMq3+xZmGuOarm0qN0Rxtp/tD23+IgS >Nnpq6Ibp/Gq1VNM+Y90zL+TM9Nyfu0SNE+q7fIhN+Y6ip3dmlm92aKDkuiGYcX56 >ZSBR8WkE7uIaysKLdZ74Gg== >-----END CERTIFICATE----- >subject=/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxx SA/OU=xxxxxxxxxxxx >SA/CN=mail.xxxxxx.ro/[email protected] >issuer=/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxxx SA/OU=xxxxx >SA/CN=mail.xxxxx.ro/[email protected] >--- >Acceptable client certificate CA names >/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxxx xxxxxxxx >SA/OU=xxxxxxxxxxxx/CN=mail.xxxxxxxx.ro/[email protected] >--- >SSL handshake has read 2076 bytes and written 366 bytes >--- >New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA >Server public key is 2048 bit >Secure Renegotiation IS supported >Compression: NONE >Expansion: NONE >SSL-Session: > Protocol : TLSv1 > Cipher : DHE-RSA-AES256-SHA > Session-ID: >5956AC85B99C5858D845A2206D16FC5D797D7EEB5925E0F089EE580B9598C31F > Session-ID-ctx: > Master-Key: >A5B4D9EA48B10874AF18DFC5531A6B3514B3845B40D51AE913A2B0D721493EEEC99DE85494996B133BFA4886E934F386 > Key-Arg : None > Krb5 Principal: None > Start Time: 1386247413 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) >--- >250 DSN > > > >telnet localhost 25 >Trying 127.0.0.1... >Connected to localhost.localdomain (127.0.0.1). >Escape character is '^]'. >220 mail.xxxxx.ro ESMTP Postfix >EHLO xxxxxxxxx.ro >250-mail.xxxxx.ro >250-PIPELINING >250-SIZE 10240000 >250-VRFY >250-ETRN >250-STARTTLS >250-ENHANCEDSTATUSCODES >250-8BITMIME >250 DSN >STARTTLS >220 2.0.0 Ready to start TLS > > > > >----------------------------------------------------------- >Catalin Vasilescu >_______________________________________________ >RLUG mailing list >[email protected] >http://lists.lug.ro/mailman/listinfo/rlug > _______________________________________________ RLUG mailing list [email protected] http://lists.lug.ro/mailman/listinfo/rlug
