Re: Server certificate not verified
On Mon, April 17, 2017 11:30, Viktor Dukhovni wrote: > Thank you for bringing this to my attention. > > Your host has DANE TLSA records, but lacks a matching certificate. I am mystified as to what I have done wrong in this respect. The certificate in question has this value as its common name: Subject: CN=inet18.mississauga.harte-lyne.ca The DNS entries match as far as I can see: ;; ANSWER SECTION: inet18.mississauga.harte-lyne.ca. 102897 IN A 209.47.176.18 ;; ANSWER SECTION: 18.176.47.209.in-addr.arpa. 140860 IN PTR inet18.mississauga.harte-lyne.ca. And yet as you write, the TLSA verification chain fails: TLSA records found: 3 TLSA: 2 1 2 380259229e21a1946b38cfc594cbc993b61bc93762b7b6c6637b3eef9c5a2bb70c589b91beb73bd1304eac11b3917e33819e2b47d25d4966435a2a3e83c1f80f TLSA: 2 0 2 67274b355428905895c6b581950e0ed4f7d043f31f7e7020b716b7faa06776b6aadd33e127624b6e8c75c520a01d9cad3bd29f18fa7dcb3d5fd3917510e6722a TLSA: 2 1 2 c26e0ec16a46a97386e8f31f8ecc971f2d73136aa377dfdaac2b2b00f7cab4bb29b17d913c82093b41fd0d9e40b66a68361c126f1f4017f9ce60eabc5adba90e Connecting to IPv4 address: 209.47.176.18 port 25 recv: 220 inet18.mississauga.harte-lyne.ca ESMTP Postfix send: EHLO cheetara.huque.com recv: 250-inet18.mississauga.harte-lyne.ca recv: 250-PIPELINING recv: 250-SIZE 2048 recv: 250-ETRN recv: 250-STARTTLS recv: 250-ENHANCEDSTATUSCODES recv: 250-8BITMIME recv: 250-DSN recv: 250 SMTPUTF8 send: STARTTLS recv: 220 2.0.0 Ready to start TLS TLSv1.2 handshake succeeded. Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 Peer Certificate chain: 0 Subject CN: inet18.mississauga.harte-lyne.ca Issuer CN: CA_HLL_ISSUER_2016 1 Subject CN: CA_HLL_ISSUER_2016 Issuer CN: CA_HLL_ROOT_2016 2 Subject CN: CA_HLL_ROOT_2016 Issuer CN: CA_HLL_ROOT_2016 SAN dNSName: inet18.mississauga.harte-lyne.ca SAN dNSName: inet18 SAN dNSName: inet18.hamilton SAN dNSName: inet18.hamilton.harte-lyne.ca SAN dNSName: inet18.mississagua SAN dNSName: inet18.mississagua.harte-lyne.ca Error: peer authentication failed. rc=62 (Hostname mismatch) [2] Authentication failed for all (1) peers. What may be an obvious error to other I cannot see myself. What is wrong with the certificate? Is one no longer permitted to have SubAlternativeNames? > > It looks like you're trying to arrive at working configuration > without thinking about the key questions: > > * What domains do you accept mail for? These are listed in the relay_domains map. > * Where is mail delivered? At our main IMAP service which is not directly accessible to this particular host. This host is a backup MX and should forward mail to the primary MX host when that becomes available. > * What domain should appear in headers and envelopes of > locally generated mail? The FQDN of this host is required as any originating mail is internal mail. This I believe is the default. > * What notices should be sent to the postmaster (often > "none" is the right answer, provided logs, queues, ... > are monitored). > >> However, the source of this problem appears to me to be an invalid >> sender > > No, the source is postmaster notices (possibly unwanted) that > loop back to the local machine, and fail DANE authentication. > -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: Server certificate not verified
> On Apr 17, 2017, at 10:14 AM, James B. Byrne <byrn...@harte-lyne.ca> wrote: > > We are in the process of configuring a replacement MX off-site server. > The last time I did this was in 2008/09 and so I am a little rusty. See: http://www.postfix.org/BASIC_CONFIGURATION_README.html#myorigin http://www.postfix.org/BASIC_CONFIGURATION_README.html#mydestination http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_to http://www.postfix.org/BASIC_CONFIGURATION_README.html#notify http://www.postfix.org/BASIC_CONFIGURATION_README.html#syslog_howto > At the moment I see this in my mailq on that host: > >> 9EDCE3BBB5 1129 Mon Apr 17 12:32:13 >> double-bou...@inet18.mississauga.harte-lyne.ca >> >>(Server certificate not verified) >> >> postmas...@inet18.mississauga.harte-lyne.ca This is useless and distracting. Post relevant log entries. You've cleared mydestination and not set myorigin to a sensible value, so locally originated mail loops. Your host has DANE TLSA records, but lacks a matching certificate. It looks like you're trying to arrive at working configuration without thinking about the key questions: * What domains do you accept mail for? * Where is mail delivered? * What domain should appear in headers and envelopes of locally generated mail? * What notices should be sent to the postmaster (often "none" is the right answer, provided logs, queues, ... are monitored). > However, the source of this problem appears to me to be an invalid > sender No, the source is postmaster notices (possibly unwanted) that loop back to the local machine, and fail DANE authentication. -- Viktor.
Server certificate not verified
We are in the process of configuring a replacement MX off-site server. The last time I did this was in 2008/09 and so I am a little rusty. At the moment I see this in my mailq on that host: > 9EDCE3BBB5 1129 Mon Apr 17 12:32:13 > double-bou...@inet18.mississauga.harte-lyne.ca > > (Server certificate not verified) > > postmas...@inet18.mississauga.harte-lyne.ca However, the source of this problem appears to me to be an invalid sender so I am wondering just what that error message is telling me and whether or not it is within my scope to correct whatever is causing it. A simple explanation of what is happening would be gratefully accepted. We run our own private CA and our MX hosts use our in-house certificates, which may, or may not, have some bearing on the matter. The message contained in 9EDCE3BBB5 says this: >From mailer-dae...@inet18.mississauga.harte-lyne.ca (Mail Delivery System) To postmas...@inet18.mississauga.harte-lyne.ca (Postmaster) DateMon, 17 Apr 2017 08:32:13 -0400 (EDT) Subject Postfix SMTP server: errors from unknown[130.193.194.106] Transcript of session follows. Out: 220 inet18.mississauga.harte-lyne.ca ESMTP Postfix In: EHLO [130.193.194.106] Out: 250-inet18.mississauga.harte-lyne.ca Out: 250-PIPELINING Out: 250-SIZE 2048 Out: 250-ETRN Out: 250-STARTTLS Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250-DSN Out: 250 SMTPUTF8 In: MAIL FROM:<schneider7...@aokmataekwondo.com> Out: 250 2.1.0 Ok In: RCPT TO:<postmas...@harte-lyne.ca> Out: 250 2.1.5 Ok In: DATA Out: 354 End data with . Out: 451 4.3.0 Error: queue file write error In: QUIT Out: 221 2.0.0 Bye For other details, see the local mail logfile These are the current configuration settings. # postconf -nf alias_database = /etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/local/sbin compatibility_level = 2 content_filter = smtp-amavis:[127.0.18.1]:10024 daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 delay_warning_time = 15m disable_vrfy_command = yes header_checks = regexp:$config_directory/header_checks.regexp html_directory = /usr/local/share/doc/postfix ignore_mx_lookup_error = no inet_interfaces = localhost, 192.168.209.18, 209.47.176.18 inet_protocols = all local_transport = smtp mail_owner = postfix mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man message_size_limit = 2048 meta_directory = /usr/local/libexec/postfix milter_default_action = accept milter_protocol = 2 mydestination = mynetworks = 216.185.71.0/26, 216.185.71.64/27, 209.47.176.0/26, 192.168.216.0/24, 192.168.209.0/24, 192.168.8.0/24, 192.168.7.0/24, 192.168.6.0/24, 127.0.0.0/8 newaliases_path = /usr/local/bin/newaliases non_smtpd_milters = $smtpd_milters policyd-spf_time_limit = 3600 queue_directory = /var/spool/postfix queue_minfree = 4096 rbl_reply_maps = hash:/usr/local/etc/postfix/rbl_reply readme_directory = /usr/local/share/doc/postfix recipient_delimiter = + relay_clientcerts = hash:/usr/local/etc/postfix/relay_clientcerts relay_domains = hash:/usr/local/etc/postfix/relay_domains sample_directory = /usr/local/etc/postfix sender_canonical_maps = hash:/usr/local/etc/postfix/canonical sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop shlib_directory = /usr/local/lib/postfix smtp_dns_support_level = dnssec smtp_host_lookup = dns smtp_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt smtp_tls_cert_file = /usr/local/etc/pki/tls/certs/ca.harte-lyne.smtp.crt smtp_tls_ciphers = medium smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED, IDEA, RC2, RC5 smtp_tls_key_file = /usr/local/etc/pki/tls/private/ca.harte-lyne.smtp.key smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache smtp_tls_session_cache_timeout = 3600s smtpd_client_restrictions = permit smtpd_data_restrictions = permit_mynetworks, reject_multi_recipient_bounce, reject_unauth_pipelining, permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access pcre:/usr/local/etc/postfix/helo_checks.pcre, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, permit smtpd_milters = inet:127.0.18.1:8891 smtpd_proxy_timeout = 300s smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_unauth_pipelining check_policy_service inet:10023 check_policy_service unix:private/policyd-spf permit smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd smtpd_sender_restrictions = permit_mynetworks, check_
delivery temporarily suspended: Server certificate not verified
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi list !
I have only one peer as nexthop in my transport table , this is my
configuration for postfix smtp :
# SMTP TLS
smtp_use_tls=yes
smtp_tls_loglevel = 1
smtp_tls_enforce_peername = no
smtp_tls_CAfile = /etc/postfix/ssl/CA.pem
smtp_tls_cert_file=/etc/postfix/ssl/cert.pem
smtp_tls_key_file=/etc/postfix/ssl/key.pem
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_enforce_peername = no
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_secure_cert_match = nexthop
smtp_tls_security_level = fingerprint
smtp_tls_fingerprint_digest = sha1
smtp_tls_fingerprint_cert_match =
D4:A8:07:24:0C:26:B6:D7:9D:AA:CC:CA:77:BA:3A:27:AE:0C:B5:35
smtp_tls_scert_verifydepth = 1
smtp_tls_note_starttls_offer = yes
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
... and i can't still have a verified TLS connection with my relayhost .
My CA.pem , smtp_tls_CAfile = /etc/postfix/ssl/CA.pem , has my both
selfsigned main CA certificate and my nexthop CA in it . Should i
include the all ca certificates directory in postfix main.cf ? How can i
have a verified tls connection with my relayhost ?
Thanks!
Gab
- --
pub 1024D/5C5BE409 2009-04-09
Key fingerprint = 2BDE 5361 39EA 3E75 9EE8 6724 CE20 F80F 5C5B E409
uid Gabriele (Gab at Riseup.Net) gabri...@riseup.net
uid [jpeg image of size 1965]
sub 4096g/078F3AAD 2009-04-09
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEAREKAAYFAknnd5UACgkQpCYscrzyfkLPRACePYHRvQHI78whe5DykFbtekvf
XiQAn1sJza4u0ZXjSgS7Mh6YkdlAKMps
=Gf5o
-END PGP SIGNATURE-
Re: delivery temporarily suspended: Server certificate not verified
On Thu, 16 Apr 2009, gabriele wrote: I have only one peer as nexthop in my transport table , this is my configuration for postfix smtp : No; show output of 'postconf -n'. [...] ... and i can't still have a verified TLS connection with my relayhost . My CA.pem , smtp_tls_CAfile = /etc/postfix/ssl/CA.pem , has my both selfsigned main CA certificate and my nexthop CA in it . Should i include the all ca certificates directory in postfix main.cf ? How can i have a verified tls connection with my relayhost ? Show logs that explain how what is failing. -- Sahil Tandon sa...@tandon.net
