Rezolvat.Am folosit Class 1 SSL Cert de la startssl.com. Problema a fost mai ampla pentu ca am si un CISCO PIX Mailguard care imi bloca starttls-ul .
Multumesc de ajutor. ----------------------------------------------------------- Catalin Vasilescu ________________________________ From: Petru Ratiu <[email protected]> To: Catalin Vasilescu <[email protected]> Cc: Romanian Linux Users Group <[email protected]> Sent: Thursday, December 5, 2013 3:45 PM Subject: Re: [rlug] verify error:num=18:self signed certificate TLS Postfix Ce voiam sa zic, ti-ai setat explicit smtp_tls_security_level=fingerprint? Oricare mai mare o sa incerce sa-ti valideze chainul de certificate. Ofc, probabil vrei aia doar pe transportul cu exchange-ul. IMO, mai sanatos e sa-ti faci certificatul cu un CA intern pe care sa-l publici pe servere, daca insisti sa folosesti self-signed cred ca trebuie sa le publici pe toate ca root cert si nu-s sigur ca convingi orice client de ssl sa-l accepte direct. -- P. On Thu, Dec 5, 2013 at 3:39 PM, Catalin Vasilescu <[email protected]> wrote: Da, am citit. nu am gasit rezolvarea, ajung mereu in acelasi loc. am regenerat si certificatele de vreo 3 ori crezand ca problema e de acolo. > > > > >----------------------------------------------------------- >Catalin Vasilescu > > > > > >________________________________ > From: Petru Ratiu <[email protected]> >To: Catalin Vasilescu <[email protected]>; Romanian Linux Users >Group <[email protected]> >Sent: Thursday, December 5, 2013 3:20 PM >Subject: Re: [rlug] verify error:num=18:self signed certificate TLS Postfix > > > >http://www.postfix.org/postconf.5.html#smtp_tls_security_level ai citit? > > > > >On Thu, Dec 5, 2013 at 3:11 PM, Catalin Vasilescu ><[email protected]> wrote: > >Salut, >> >>Dupa ce am tot cautat si incercat tot felul de solutii pentru eroarea de mai >>jos si am ajuns in acelai punct, m-am gandit sa apelez din nou la >>cunostintele unor linux-isti mai priceputi,RLUG. >>Am un postfix ce serverste ca mail gateway pentru Exchange (subiect dezbatut >>mai demult aici), nu reusesc sa ii fac TLS-ul sa functioneze cu un self >>signed certificate. >> >>/etc/postfix/main.cf: >># TLS parameters >>smtpd_tls_CAfile = >>/etc/pki/tls/certs/CA-mail.xxxx.ro.crt >>smtpd_tls_cert_file = /etc/pki/tls/certs/mail.xxxx.ro.crt >>smtpd_tls_key_file = >>/etc/pki/tls/certs/mail.xxxxxx.ro.key >>smtpd_use_tls = yes >>smtpd_tls_session_cache_database = >>btree:${queue_directory}/smtpd_scache >> >>smtp_tls_CAfile = >>/etc/pki/tls/certs/CA-mail.xxxx.ro.crt >>smtp_tls_cert_file = /etc/pki/tls/certs/mail.xxxxx.ro.crt >>smtp_tls_key_file = /etc/pki/tls/certs/mail.xxxx.ro.key >>smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache >>smtp_use_tls = yes >> >>smtpd_tls_received_header = yes >>smtpd_tls_ask_ccert = yes >>smtpd_tls_loglevel = 1 >>tls_random_source = dev:/dev/urandom >># TLS end >> >> >> >> >> >>openssl s_client -connect mail.xxxx.ro:25 -starttls smtp >>CONNECTED(00000003) >>depth=0 /C=RO/ST=Bucuresti/L=Bucuresti/O=XXXXXX SA/OU=XXXXXX >>SA/CN=mail.xxxxx.ro/[email protected] >>verify error:num=18:self signed certificate >>verify return:1 >>depth=0 /C=RO/ST=Bucuresti/L=Bucuresti/O=XXXXXXXX SA/OU=XXXXXXX >>SA/CN=mail.XXXXXX.ro/[email protected] >>verify return:1 >>--- >>Certificate chain >> 0 s:/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxxx SA/OU=xxxxxx >>SA/CN=mail.xxxxxxxx.ro/[email protected] >> i:/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxxxxSA/OU=xxxxxxx >>SA/CN=mail.xxxxxxx.ro/[email protected] >>--- >>Server certificate >>-----BEGIN CERTIFICATE----- >>MIIDzDCCArQCAQEwDQYJKoZIhvcNAQEFBQAwgasxCzAJBgNVBAYTAlJPMRIwEAYD >>VQQIEwlCdWN1cmVzdGkxEjAQBgNVBAcTCUJ1Y3VyZXN0aTEUMBIGA1UEChMLR3Jv >>dXBhbWEgU0ExFDASBgNVBAsTC0dyb3VwYW1hIFNBMRowGAYDVQQDExFtYWlsMi5n >>cm91cGFtYS5ybzEsMCoGCSqGSIb3DQEJARYdY2F0YWxpbi52YXNpbGVzY3VAZ3Jv >>dXBhbWEucm8wHhcNMTMxMjA1MDczMjE0WhcNMTQxMjA1MDczMjE0WjCBqzELMAkG >>A1UEBhMCUk8xEjAQBgNVBAgTCUJ1Y3VyZXN0aTESMBAGA1UEBxMJQnVjdXJlc3Rp >>MRQwEgYDVQQKEwtHcm91cGFtYSBTQTEUMBIGA1UECxMLR3JvdXBhbWEgU0ExGjAY >>BgNVBAMTEW1haWwyLmxxxxxxxxxxxxxtestxxxxxxxxxxxxxxkiG9w0BAQUFAAOCAQEA >>iNqH+zGcmOmdMRmbvUltcAkxHGGqy6xovCLL+LpDFrGc43xA4dLRPMX0aKYIMUjK8C >>HQWTo7+hIjpZayud5JNQ1WWXjZ9Xe0OBNMwE+9dVLm5S1hJNIw3L0G+BbOiJGyli >>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxasadfxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> >>/N215N+fl9VMXrpieblypUpwmq8mk7bSuFayPHXkb4jS2hh/2qFHG70g48TSkCJK >>KYYQ5o/S0NvoUJdCgEHO2bN3UoI1NCgupAMq3+xZmGuOarm0qN0Rxtp/tD23+IgS >>Nnpq6Ibp/Gq1VNM+Y90zL+TM9Nyfu0SNE+q7fIhN+Y6ip3dmlm92aKDkuiGYcX56 >>ZSBR8WkE7uIaysKLdZ74Gg== >>-----END CERTIFICATE----- >>subject=/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxx SA/OU=xxxxxxxxxxxx >>SA/CN=mail.xxxxxx.ro/[email protected] >>issuer=/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxxx SA/OU=xxxxx >>SA/CN=mail.xxxxx.ro/[email protected] >>--- >>Acceptable client certificate CA names >>/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxxx xxxxxxxx >>SA/OU=xxxxxxxxxxxx/CN=mail.xxxxxxxx.ro/[email protected] >>--- >>SSL handshake has read 2076 bytes and written 366 bytes >>--- >>New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA >>Server public key is 2048 bit >>Secure Renegotiation IS supported >>Compression: NONE >>Expansion: NONE >>SSL-Session: >> Protocol : TLSv1 >> Cipher : DHE-RSA-AES256-SHA >> Session-ID: >>5956AC85B99C5858D845A2206D16FC5D797D7EEB5925E0F089EE580B9598C31F >> Session-ID-ctx: >> Master-Key: >>A5B4D9EA48B10874AF18DFC5531A6B3514B3845B40D51AE913A2B0D721493EEEC99DE85494996B133BFA4886E934F386 >> Key-Arg : None >> Krb5 Principal: None >> Start Time: 1386247413 >> Timeout : 300 (sec) >> Verify return code: 18 (self signed certificate) >>--- >>250 DSN >> >> >> >>telnet localhost 25 >>Trying 127.0.0.1... >>Connected to localhost.localdomain (127.0.0.1). >>Escape character is '^]'. >>220 mail.xxxxx.ro ESMTP Postfix >>EHLO xxxxxxxxx.ro >>250-mail.xxxxx.ro >>250-PIPELINING >>250-SIZE 10240000 >>250-VRFY >>250-ETRN >>250-STARTTLS >>250-ENHANCEDSTATUSCODES >>250-8BITMIME >>250 DSN >>STARTTLS >>220 2.0.0 Ready to start TLS >> >> >> >> >>----------------------------------------------------------- >>Catalin Vasilescu >>_______________________________________________ >>RLUG mailing list >>[email protected] >>http://lists.lug.ro/mailman/listinfo/rlug >> > > > _______________________________________________ RLUG mailing list [email protected] http://lists.lug.ro/mailman/listinfo/rlug
