Quantcast

Server certificate not verified

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Server certificate not verified

James B. Byrne
We are in the process of configuring a replacement MX off-site server.
 The last time I did this was in 2008/09 and so I am a little rusty.
At the moment I see this in my mailq on that host:


> 9EDCE3BBB5     1129 Mon Apr 17 12:32:13
> [hidden email]
>
>     (Server certificate not verified)
>
> [hidden email]


However, the source of this problem appears to me to be an invalid
sender so I am wondering just what that error message is telling me
and whether or not it is within my scope to correct whatever is
causing it.  A simple explanation of what is happening would be
gratefully accepted.

We run our own private CA and our MX hosts use our in-house
certificates, which may, or may not, have some bearing on the matter.

The message contained in 9EDCE3BBB5 says this:

From [hidden email] (Mail Delivery
System)
To [hidden email] (Postmaster)
Date Mon, 17 Apr 2017 08:32:13 -0400 (EDT)
Subject Postfix SMTP server: errors from unknown[130.193.194.106]

Transcript of session follows.

 Out: 220 inet18.mississauga.harte-lyne.ca ESMTP Postfix
 In:  EHLO [130.193.194.106]
 Out: 250-inet18.mississauga.harte-lyne.ca
 Out: 250-PIPELINING
 Out: 250-SIZE 20480000
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250-DSN
 Out: 250 SMTPUTF8
 In:  MAIL FROM:<[hidden email]>
 Out: 250 2.1.0 Ok
 In:  RCPT TO:<[hidden email]>
 Out: 250 2.1.5 Ok
 In:  DATA
 Out: 354 End data with <CR><LF>.<CR><LF>
 Out: 451 4.3.0 Error: queue file write error
 In:  QUIT
 Out: 221 2.0.0 Bye


For other details, see the local mail logfile


These are the current configuration settings.

# postconf -nf
alias_database = /etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.18.1]:10024
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
    $daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 15m
disable_vrfy_command = yes
header_checks = regexp:$config_directory/header_checks.regexp
html_directory = /usr/local/share/doc/postfix
ignore_mx_lookup_error = no
inet_interfaces = localhost, 192.168.209.18, 209.47.176.18
inet_protocols = all
local_transport = smtp
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 20480000
meta_directory = /usr/local/libexec/postfix
milter_default_action = accept
milter_protocol = 2
mydestination =
mynetworks = 216.185.71.0/26, 216.185.71.64/27, 209.47.176.0/26,
    192.168.216.0/24, 192.168.209.0/24, 192.168.8.0/24, 192.168.7.0/24,
    192.168.6.0/24, 127.0.0.0/8
newaliases_path = /usr/local/bin/newaliases
non_smtpd_milters = $smtpd_milters
policyd-spf_time_limit = 3600
queue_directory = /var/spool/postfix
queue_minfree = 40960000
rbl_reply_maps = hash:/usr/local/etc/postfix/rbl_reply
readme_directory = /usr/local/share/doc/postfix
recipient_delimiter = +
relay_clientcerts = hash:/usr/local/etc/postfix/relay_clientcerts
relay_domains = hash:/usr/local/etc/postfix/relay_domains
sample_directory = /usr/local/etc/postfix
sender_canonical_maps = hash:/usr/local/etc/postfix/canonical
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
smtp_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /usr/local/etc/pki/tls/certs/ca.harte-lyne.smtp.crt
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED,
IDEA, RC2, RC5
smtp_tls_key_file = /usr/local/etc/pki/tls/private/ca.harte-lyne.smtp.key
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtpd_client_restrictions = permit
smtpd_data_restrictions = permit_mynetworks,
reject_multi_recipient_bounce,
    reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
    pcre:/usr/local/etc/postfix/helo_checks.pcre,
reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname, permit
smtpd_milters = inet:127.0.18.1:8891
smtpd_proxy_timeout = 300s
smtpd_recipient_restrictions = reject_non_fqdn_recipient
    reject_unknown_recipient_domain permit_mynetworks
permit_sasl_authenticated
    reject_unauth_destination reject_unauth_pipelining
check_policy_service
    inet:10023 check_policy_service unix:private/policyd-spf permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
    defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sender_restrictions = permit_mynetworks, check_sender_access
    hash:/usr/local/etc/postfix/sender_access, check_sender_mx_access
    hash:/usr/local/etc/postfix/sender_mx_access, check_sender_ns_access
    hash:/usr/local/etc/postfix/sender_ns_access,
permit_sasl_authenticated,
    reject_non_fqdn_sender, reject_unknown_sender_domain, permit
smtpd_starttls_timeout = ${stress?10}${stress:120}s
smtpd_timeout = ${stress?10}${stress:120}s
smtpd_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file =
    /usr/local/etc/pki/tls/certs/inet13.mississauga.harte-lyne.ca.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_key_file =
    /usr/local/etc/pki/tls/private/inet18.mississauga.harte-lyne.ca.key
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual,
    regexp:/usr/local/etc/postfix/virtual.regexp


# postconf -Mf
smtp       inet  n       -       n       -       -       smtpd
    -o smtpd_tls_security_level=may
    -o smtpd_proxy_filter=127.0.18.1:10024
    -o smtpd_client_connection_count_limit=10
    -o smtpd_proxy_options=speed_adjust
    -o syslog_name=postfix-p25
submission inet  n       -       n       -       -       smtpd -v
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject_unauth_destination
    -o
smtpd_sender_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject
    -o milter_macro_daemon_name=ORIGINATING
    -o syslog_name=postfix-p587
smtps      inet  n       -       n       -       -       smtpd -v
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject_unauth_destination
    -o
smtpd_sender_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject_unauth_destination
    -o milter_macro_daemon_name=ORIGINATING
    -o syslog_name=postfix-p465
pickup     fifo  n       -       n       60      1       pickup
    -o content_filter=
    -o receive_override_options=no_header_body_checks
cleanup    unix  n       -       n       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
    -o smtp_fallback_relay=
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
127.0.18.1:2626 inet n   -       n       -       -       smtpd
    -o smtpd_tls_security_level=none
    -o smtpd_sasl_auth_enable=no
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=
    -o milter_macro_daemon_name=ORIGINATING
    -o syslog_name=postfix-p2626
policyd-spf unix y       n       n       -       -       spawn
user=nobody
    argv=/usr/local/bin/policyd-spf
smtp-amavis unix -       -       n       -       6       smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
127.0.18.1:10025 inet n  -       n       -       -       smtpd
    -o content_filter=
    -o local_header_rewrite_clients=
    -o local_recipient_maps=
    -o mynetworks=127.0.0.0/8
    -o relay_recipient_maps=
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_delay_reject=no
    -o smtpd_milters=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings




--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Server certificate not verified

Viktor Dukhovni

> On Apr 17, 2017, at 10:14 AM, James B. Byrne <[hidden email]> wrote:
>
> We are in the process of configuring a replacement MX off-site server.
> The last time I did this was in 2008/09 and so I am a little rusty.

See:

   http://www.postfix.org/BASIC_CONFIGURATION_README.html#myorigin
   http://www.postfix.org/BASIC_CONFIGURATION_README.html#mydestination
   http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_to
   http://www.postfix.org/BASIC_CONFIGURATION_README.html#notify
   http://www.postfix.org/BASIC_CONFIGURATION_README.html#syslog_howto

> At the moment I see this in my mailq on that host:
>
>> 9EDCE3BBB5     1129 Mon Apr 17 12:32:13
>> [hidden email]
>>
>>    (Server certificate not verified)
>>
>> [hidden email]

This is useless and distracting.  Post relevant log entries.

You've cleared mydestination and not set myorigin to a sensible
value, so locally originated mail loops.  Your host has DANE
TLSA records, but lacks a matching certificate.

It looks like you're trying to arrive at working configuration
without thinking about the key questions:

        * What domains do you accept mail for?
        * Where is mail delivered?
        * What domain should appear in headers and envelopes of
          locally generated mail?
        * What notices should be sent to the postmaster (often
          "none" is the right answer, provided logs, queues, ...
          are monitored).

> However, the source of this problem appears to me to be an invalid
> sender

No, the source is postmaster notices (possibly unwanted) that
loop back to the local machine, and fail DANE authentication.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Server certificate not verified

James B. Byrne

On Mon, April 17, 2017 11:30, Viktor Dukhovni wrote:
>

Thank you for bringing this to my attention.

>
> Your host has DANE TLSA records, but lacks a matching certificate.

I am mystified as to what I have done wrong in this respect.  The
certificate in question has this value as its common name:

Subject: CN=inet18.mississauga.harte-lyne.ca

The DNS entries match as far as I can see:

;; ANSWER SECTION:
inet18.mississauga.harte-lyne.ca. 102897 IN A 209.47.176.18

;; ANSWER SECTION:
18.176.47.209.in-addr.arpa. 140860
IN PTR inet18.mississauga.harte-lyne.ca.

And yet as you write, the TLSA verification chain fails:

TLSA records found: 3
TLSA: 2 1 2
380259229e21a1946b38cfc594cbc993b61bc93762b7b6c6637b3eef9c5a2bb70c589b91beb73bd1304eac11b3917e33819e2b47d25d4966435a2a3e83c1f80f
TLSA: 2 0 2
67274b355428905895c6b581950e0ed4f7d043f31f7e7020b716b7faa06776b6aadd33e127624b6e8c75c520a01d9cad3bd29f18fa7dcb3d5fd3917510e6722a
TLSA: 2 1 2
c26e0ec16a46a97386e8f31f8ecc971f2d73136aa377dfdaac2b2b00f7cab4bb29b17d913c82093b41fd0d9e40b66a68361c126f1f4017f9ce60eabc5adba90e

Connecting to IPv4 address: 209.47.176.18 port 25
recv: 220 inet18.mississauga.harte-lyne.ca ESMTP Postfix
send: EHLO cheetara.huque.com
recv: 250-inet18.mississauga.harte-lyne.ca
recv: 250-PIPELINING
recv: 250-SIZE 20480000
recv: 250-ETRN
recv: 250-STARTTLS
recv: 250-ENHANCEDSTATUSCODES
recv: 250-8BITMIME
recv: 250-DSN
recv: 250 SMTPUTF8
send: STARTTLS
recv: 220 2.0.0 Ready to start TLS
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Peer Certificate chain:
 0 Subject CN: inet18.mississauga.harte-lyne.ca
   Issuer  CN: CA_HLL_ISSUER_2016
 1 Subject CN: CA_HLL_ISSUER_2016
   Issuer  CN: CA_HLL_ROOT_2016
 2 Subject CN: CA_HLL_ROOT_2016
   Issuer  CN: CA_HLL_ROOT_2016
 SAN dNSName: inet18.mississauga.harte-lyne.ca
 SAN dNSName: inet18
 SAN dNSName: inet18.hamilton
 SAN dNSName: inet18.hamilton.harte-lyne.ca
 SAN dNSName: inet18.mississagua
 SAN dNSName: inet18.mississagua.harte-lyne.ca
Error: peer authentication failed. rc=62 (Hostname mismatch)

[2] Authentication failed for all (1) peers.

What may be an obvious error to other I cannot see myself.  What is
wrong with the certificate?  Is one no longer permitted to have
SubAlternativeNames?

>
> It looks like you're trying to arrive at working configuration
> without thinking about the key questions:
>
> * What domains do you accept mail for?
These are listed in the relay_domains map.

> * Where is mail delivered?
At our main IMAP service which is not directly accessible to this
particular host.  This host is a backup MX and should forward mail to
the primary MX host when that becomes available.

> * What domain should appear in headers and envelopes of
>           locally generated mail?
The FQDN of this host is required as any originating mail is internal
mail.  This I believe is the default.

> * What notices should be sent to the postmaster (often
>  "none" is the right answer, provided logs, queues, ...
>           are monitored).
>
>> However, the source of this problem appears to me to be an invalid
>> sender
>
> No, the source is postmaster notices (possibly unwanted) that
> loop back to the local machine, and fail DANE authentication.
>


--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Loading...