Loading ...
Sorry, an error occurred while loading the content.

Re: error using certificate server

Expand Messages
  • deconya
    Hi Thanks for you answers I continue with the problem and I don t know where I can check more. At now the situation is -Sends mails deferred -In logs appears:
    Message 1 of 10 , Feb 11, 2013
    • 0 Attachment
      Hi

      Thanks for you answers

      I continue with the problem and I don't know where I can check more. At
      now the situation is

      -Sends mails deferred

      -In logs appears:

      Feb 12 01:20:50 mailserver postfix/smtpd[16653]: warning:
      smtpd_tls_security_level: unsupported TLS level "verify", using "encrypt"
      Feb 12 01:20:50 mailserver postfix/smtpd[16653]: initializing the
      server-side TLS engine
      Feb 12 01:20:50 mailserver postfix/tlsmgr[16655]: open smtpd TLS cache
      btree:/var/lib/postfix/smtpd_scache
      Feb 12 01:20:50 mailserver postfix/tlsmgr[16655]:
      tlsmgr_cache_run_event: start TLS smtpd session cache cleanup
      Feb 12 01:20:50 mailserver postfix/smtpd[16653]: connect from
      unknown[194.183.97.58]
      Feb 12 01:20:51 mailserver postfix/smtpd[16653]: setting up TLS
      connection from unknown[194.183.97.58]
      Feb 12 01:20:51 mailserver postfix/smtpd[16653]: unknown[194.183.97.58]:
      TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
      Feb 12 01:20:51 mailserver postfix/smtpd[16653]:
      SSL_accept:before/accept initialization
      Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 read
      client hello B
      Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
      server hello A
      Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
      certificate A
      Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
      key exchange A
      Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
      server done A
      Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 flush data
      Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 read
      client key exchange A
      Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 read
      finished A
      Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:unknown state
      Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
      change cipher spec A
      Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
      finished A
      Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 flush data
      Feb 12 01:20:52 mailserver postfix/smtpd[16653]: Anonymous TLS
      connection established from unknown[194.183.97.58]: TLSv1 with cipher
      DHE-RSA-AES256-SHA (256/256 bits)
      Feb 12 01:20:52 mailserver dovecot: auth(default): client in:
      AUTH^I1^IPLAIN^Iservice=smtp^Inologin^Iresp=AG1hcmNvcy5nb256YWxlekBlc2NpLnVwZi5lZHUAYVYzcnlMMG5nUDRzc3cwcmQ=
      Feb 12 01:20:52 mailserver postfix/smtpd[16653]: D88A97A0C9C:
      client=unknown[194.183.97.58], sasl_method=PLAIN, sasl_username=usertest
      Feb 12 01:20:53 mailserver postfix/smtpd[16653]: disconnect from
      unknown[194.183.97.58]
      Feb 12 01:20:53 mailserver postfix/smtp[16660]: D88A97A0C9C: Server
      certificate not verified
      Feb 12 01:20:56 mailserver postfix/smtp[16660]: D88A97A0C9C:
      to=<mail@...>, relay=mysmarthost[130.206.18.4]:25, delay=3.3,
      delays=0.48/0.01/2.8/0, dsn=4.7.5, status=deferred (Server certificate
      not verified)

      And postconf filtered by smtp is:

      default_transport = smtp
      lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
      non_smtpd_milters =
      parent_domain_matches_subdomains =
      debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
      proxy_read_maps = $local_recipient_maps $mydestination
      $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
      $virtual_mailbox_domains $relay_recipient_maps $relay_domains
      $canonical_maps $sender_canonical_maps $recipient_canonical_maps
      $relocated_maps $transport_maps $mynetworks $sender_bcc_maps
      $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
      proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
      relayhost = myrelay
      smtp_always_send_ehlo = yes
      smtp_bind_address =
      smtp_bind_address6 =
      smtp_body_checks =
      smtp_cname_overrides_servername = no
      smtp_connect_timeout = 30s
      smtp_connection_cache_destinations =
      smtp_connection_cache_on_demand = yes
      smtp_connection_cache_time_limit = 2s
      smtp_connection_reuse_time_limit = 300s
      smtp_data_done_timeout = 600s
      smtp_data_init_timeout = 120s
      smtp_data_xfer_timeout = 180s
      smtp_defer_if_no_mx_address_found = no
      smtp_destination_concurrency_failed_cohort_limit =
      $default_destination_concurrency_failed_cohort_limit
      smtp_destination_concurrency_limit = $default_destination_concurrency_limit
      smtp_destination_concurrency_negative_feedback =
      $default_destination_concurrency_negative_feedback
      smtp_destination_concurrency_positive_feedback =
      $default_destination_concurrency_positive_feedback
      smtp_destination_rate_delay = $default_destination_rate_delay
      smtp_destination_recipient_limit = $default_destination_recipient_limit
      smtp_discard_ehlo_keyword_address_maps =
      smtp_discard_ehlo_keywords =
      smtp_enforce_tls = no
      smtp_fallback_relay = $fallback_relay
      smtp_generic_maps =
      smtp_header_checks =
      smtp_helo_name = $myhostname
      smtp_helo_timeout = 300s
      smtp_host_lookup = dns
      smtp_initial_destination_concurrency = $initial_destination_concurrency
      smtp_line_length_limit = 990
      smtp_mail_timeout = 300s
      smtp_mime_header_checks =
      smtp_mx_address_limit = 5
      smtp_mx_session_limit = 2
      smtp_nested_header_checks =
      smtp_never_send_ehlo = no
      smtp_pix_workaround_delay_time = 10s
      smtp_pix_workaround_maps =
      smtp_pix_workaround_threshold_time = 500s
      smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
      smtp_quit_timeout = 300s
      smtp_quote_rfc821_envelope = yes
      smtp_randomize_addresses = yes
      smtp_rcpt_timeout = 300s
      smtp_rset_timeout = 20s
      smtp_sasl_auth_cache_name =
      smtp_sasl_auth_cache_time = 90d
      smtp_sasl_auth_enable = no
      smtp_sasl_auth_soft_bounce = yes
      smtp_sasl_mechanism_filter =
      smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
      smtp_sasl_path =
      smtp_sasl_security_options = noanonymous
      smtp_sasl_tls_security_options = $smtp_sasl_security_options
      smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
      smtp_sasl_type = cyrus
      smtp_send_xforward_command = no
      smtp_sender_dependent_authentication = no
      smtp_skip_5xx_greeting = yes
      smtp_skip_quit_response = yes
      smtp_starttls_timeout = 300s
      smtp_tls_CAfile = /etc/ssl/certs/TERENASSL_PATH.pem.1
      smtp_tls_CApath = /etc/ssl/certs
      smtp_tls_cert_file = /etc/ssl/mydomain.crt
      smtp_tls_dcert_file =
      smtp_tls_dkey_file = $smtp_tls_dcert_file
      smtp_tls_enforce_peername = yes
      smtp_tls_exclude_ciphers =
      smtp_tls_fingerprint_cert_match =
      smtp_tls_fingerprint_digest = md5
      smtp_tls_key_file = /etc/ssl/private/jupiter_mydomain.pem
      smtp_tls_loglevel = 0
      smtp_tls_mandatory_ciphers = medium
      smtp_tls_mandatory_exclude_ciphers =
      smtp_tls_mandatory_protocols = SSLv3, TLSv1
      smtp_tls_note_starttls_offer = no
      smtp_tls_per_site =
      smtp_tls_policy_maps =
      smtp_tls_scert_verifydepth = 9
      smtp_tls_secure_cert_match = nexthop, dot-nexthop
      smtp_tls_security_level = verify
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      smtp_tls_session_cache_timeout = 3600s
      smtp_tls_verify_cert_match = hostname
      smtp_use_tls = yes
      smtp_xforward_timeout = 300s
      smtpd_authorized_verp_clients = $authorized_verp_clients
      smtpd_authorized_xclient_hosts =
      smtpd_authorized_xforward_hosts =
      smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
      smtpd_client_connection_count_limit = 50
      smtpd_client_connection_rate_limit = 0
      smtpd_client_event_limit_exceptions =
      ${smtpd_client_connection_limit_exceptions:$mynetworks}
      smtpd_client_message_rate_limit = 0
      smtpd_client_new_tls_session_rate_limit = 0
      smtpd_client_port_logging = no
      smtpd_client_recipient_rate_limit = 0
      smtpd_client_restrictions =
      smtpd_data_restrictions =
      smtpd_delay_open_until_valid_rcpt = yes
      smtpd_delay_reject = yes
      smtpd_discard_ehlo_keyword_address_maps =
      smtpd_discard_ehlo_keywords =
      smtpd_end_of_data_restrictions =
      smtpd_enforce_tls = no
      smtpd_error_sleep_time = 1s
      smtpd_etrn_restrictions =
      smtpd_expansion_filter =
      \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
      smtpd_forbidden_commands = CONNECT GET POST
      smtpd_hard_error_limit = 20
      smtpd_helo_required = no
      smtpd_helo_restrictions =
      smtpd_history_flush_threshold = 100
      smtpd_junk_command_limit = 100
      smtpd_milters =
      smtpd_noop_commands =
      smtpd_null_access_lookup_key = <>
      smtpd_peername_lookup = yes
      smtpd_policy_service_max_idle = 300s
      smtpd_policy_service_max_ttl = 1000s
      smtpd_policy_service_timeout = 100s
      smtpd_proxy_ehlo = $myhostname
      smtpd_proxy_filter =
      smtpd_proxy_timeout = 100s
      smtpd_recipient_limit = 1000
      smtpd_recipient_overshoot_limit = 1000
      smtpd_recipient_restrictions = permit_sasl_authenticated,
      permit_mynetworks, reject_unauth_destination
      smtpd_reject_unlisted_recipient = yes
      smtpd_reject_unlisted_sender = no
      smtpd_restriction_classes =
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_authenticated_header = yes
      smtpd_sasl_exceptions_networks =
      smtpd_sasl_local_domain =
      smtpd_sasl_path = private/auth
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
      smtpd_sasl_type = dovecot
      smtpd_sender_login_maps = ldap:/etc/postfix/ldap_aliases.cf
      smtpd_sender_restrictions =
      smtpd_soft_error_limit = 10
      smtpd_starttls_timeout = 300s
      smtpd_timeout = 300s
      smtpd_tls_CAfile = /etc/ssl/certs/TERENASSL_PATH.pem.1
      smtpd_tls_CApath = /etc/ssl/certs
      smtpd_tls_always_issue_session_ids = yes
      smtpd_tls_ask_ccert = no
      smtpd_tls_auth_only = no
      smtpd_tls_ccert_verifydepth = 9
      smtpd_tls_cert_file = /etc/ssl/mydomain.crt
      smtpd_tls_dcert_file =
      smtpd_tls_dh1024_param_file =
      smtpd_tls_dh512_param_file =
      smtpd_tls_dkey_file = $smtpd_tls_dcert_file
      smtpd_tls_exclude_ciphers =
      smtpd_tls_fingerprint_digest = md5
      smtpd_tls_key_file = /etc/ssl/private/jupiter_mydomain.pem
      smtpd_tls_loglevel = 2
      smtpd_tls_mandatory_ciphers = medium
      smtpd_tls_mandatory_exclude_ciphers =
      smtpd_tls_mandatory_protocols = SSLv3, TLSv1
      smtpd_tls_received_header = yes
      smtpd_tls_req_ccert = no
      smtpd_tls_security_level = verify
      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      smtpd_tls_session_cache_timeout = 3600s
      smtpd_tls_wrappermode = no
      smtpd_use_tls = yes

      If anyone knows what I can do I'll be grateful, is maddening :-(

      Best Regards

      El 10/02/13 18:59, Viktor Dukhovni escribiĆ³:
      > On Sun, Feb 10, 2013 at 01:46:59PM +0100, deconya wrote:
      >
      >> status=deferred (Server certificate not verified)
      >>
      >> I was looking all the information about it in howots, and seems that the
      >> problem is when my server exchanges credentials with smarthost. It seems
      >> that not recognizes the CA certificates from destination, and Im with
      >> two questions
      >>
      >> -What file is looking for smtp_tls_CApath=/certs, all? (Im refering the
      >> name of file), needs to use a special name? At now for recomedation of
      >> you and using howto of postfix I change this to
      > Configuring CApath is a lot more complicated than setting up a CAfile.
      > When you have exactly one root CA to verify (the one used by the ISP's
      > relay) there is little benefit in managing a "herd" (choose your
      > favourite collective noun) of certificates via CApath.
      >
      >> smtp_tls_CApath = /var/spool/postfix/certs
      >> smtpd_tls_CApath = /var/spool/postfix/certs
      > Instead:
      >
      > /etc/postfix/main.cf:
      > # Empty
      > smtpd_tls_CApath =
      > smtpd_tls_CAfile =
      > smtp_tls_CApath =
      >
      > # Copy PEM format root CA cert into this file
      > smtp_tls_CAfile = ${config_directory}/smtp_CAfile
      >
      > /etc/postfix/smtp_CAfile:
      > -----BEGIN CERTIFICATE-----
      > ...
      > -----END CERTIFICATE-----
      >
      > Obtain the root CA certificate for the relay's smtp server in PEM
      > format (base64-encoded text between -----BEGIN, -----END line pairs)
      > from a trusted source and copy it into the CA file. Verify that
      > the file is well-formed by running:
      >
      > openssl x509 -in /etc/postfix/smtp_CAfile -noout \
      > -subject -issuer -dates -sha1 -fingerprint
      >
      > This must produce no errors and report the DN of the expected root
      > CA as both subject and issuer. The certificate must not be expired,
      > and typically is valid for 10-20 years. You can usually "google"
      > the sha1 fingerprint to find various online copies of the same CA
      > certificate.
      >
      > You can store multiple trusted roots in a single CAfile, just
      > concatenate individual files with PEM format trusted root CA certs.
      >
    • Viktor Dukhovni
      ... I give up, you still can t pay attention long enough to distinguish smtp_tls_security_level from smtpd_tls_security_level . Good luck, over and out. --
      Message 2 of 10 , Feb 11, 2013
      • 0 Attachment
        On Tue, Feb 12, 2013 at 01:36:15AM +0100, deconya wrote:

        > Thanks for you answers
        >
        > I continue with the problem and I don't know where I can check more. At
        > now the situation is
        >
        > -Sends mails deferred
        >
        > -In logs appears:
        >
        > Feb 12 01:20:50 mailserver postfix/smtpd[16653]: warning:
        > smtpd_tls_security_level: unsupported TLS level "verify", using "encrypt"
        > Feb 12 01:20:50 mailserver postfix/smtpd[16653]: initializing the
        > server-side TLS engine

        I give up, you still can't pay attention long enough to distinguish
        "smtp_tls_security_level" from "smtpd_tls_security_level". Good luck,
        over and out.

        --
        Viktor.
      • deconya
        Hi Victor I understand that only is needed to use smtp_tls_security_level? O not need two options? In main.cf I have: #TLS SMTPD PARAMTERES smtpd_use_tls = yes
        Message 3 of 10 , Feb 12, 2013
        • 0 Attachment
          Hi Victor

          I understand that only is needed to use smtp_tls_security_level? O not need two options?

          In main.cf I have:

          #TLS SMTPD PARAMTERES
          smtpd_use_tls = yes
          smtpd_tls_CAfile = /etc/ssl/certs/TERENASSL_PATH.pem
          smtpd_tls_key_file = /etc/ssl/private/jupiter_mydomain.pem
          smtpd_tls_cert_file = /etc/ssl/mydomain.crt
          smtpd_tls_CApath = /etc/ssl/certs
          smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
          smtpd_tls_loglevel = 2
          smtpd_tls_received_header = yes
          smtpd_tls_session_cache_timeout = 3600s
          #smtpd_tls_security_level = verify

          smtp_use_tls = yes
          smtp_tls_CAfile = /etc/ssl/certs/TERENASSL_PATH.pem
          smtp_tls_security_level = verify
          smtp_tls_key_file = /etc/ssl/private/jupiter_mydomain.pem
          smtp_tls_cert_file = /etc/ssl/mydomain.crt
          smtp_tls_CApath = /etc/ssl/certs
          smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
          #smtp_tls_note_starttls_offer = yes


          #SASL
          relayhost = smtp.myrelayhost
          smtpd_sasl_auth_enable = yes
          smtpd_sasl_authenticated_header = yes
          smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
          smtp_sasl_security_options = noanonymous
          smtpd_sasl_security_options = noanonymous
          #smtpd_sasl_local_domain =
          smtpd_sasl_type = dovecot
          smtpd_sasl_path = private/auth

          broken_sasl_auth_clients = yes
          smtpd_sender_login_maps = ldap:/etc/postfix/ldap_aliases.cf
          smtpd_recipient_restrictions =
                  permit_sasl_authenticated,
                  permit_mynetworks,
                  reject_unauth_destination

          tls_random_source = dev:/dev/urandom

          smtpd_delay_reject = yes

          What can I do to accept the connection to myrelayhost?

          Best Regards


          -----Mensaje original-----
          De: Viktor Dukhovni <postfix-users@...>
          Reply-to: postfix-users@...
          Para: postfix-users@...
          Asunto: Re: error using certificate server
          Fecha: Tue, 12 Feb 2013 07:01:24 +0000

          On Tue, Feb 12, 2013 at 01:36:15AM +0100, deconya wrote: > Thanks for you answers > > I continue with the problem and I don't know where I can check more. At > now the situation is > > -Sends mails deferred > > -In logs appears: > > Feb 12 01:20:50 mailserver postfix/smtpd[16653]: warning: > smtpd_tls_security_level: unsupported TLS level "verify", using "encrypt" > Feb 12 01:20:50 mailserver postfix/smtpd[16653]: initializing the > server-side TLS engine I give up, you still can't pay attention long enough to distinguish "smtp_tls_security_level" from "smtpd_tls_security_level". Good luck, over and out. -- Viktor.
        Your message has been successfully submitted and would be delivered to recipients shortly.