Some Windows SMTP Server have problems with STARTTLS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Some Windows SMTP Server have problems with STARTTLS

Ralf Hildebrandt
From my log on mail.charite.de:

Apr 24 09:34:38 mail postfix/smtpd[18639]: connect from mailix.aer.de[212.202.242.130]
Apr 24 09:34:38 mail postfix/smtpd[18639]: SSL_accept error from mailix.aer.de[212.202.242.130]: -1
Apr 24 09:34:38 mail postfix/smtpd[18639]: lost connection after STARTTLS from mailix.aer.de[212.202.242.130]
Apr 24 09:34:38 mail postfix/smtpd[18639]: disconnect from mailix.aer.de[212.202.242.130]

The Windows admin of mailix.aer.de provided me with his log:

After STARTTLS he gets:
SSL negotation failed, error code 0x80090308

Also see: http://www.arschkrebs.de/bugs/log.jpg
for the whole log.

What could be the issue? What does 0x80090308 mean? And why did it
just break recently (between Apr 23rd and 24th)

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Some Windows SMTP Server have problems with STARTTLS

Victor Duchovni
On Tue, May 06, 2008 at 02:23:13PM +0200, Ralf Hildebrandt wrote:

> From my log on mail.charite.de:
>
> Apr 24 09:34:38 mail postfix/smtpd[18639]: connect from mailix.aer.de[212.202.242.130]
> Apr 24 09:34:38 mail postfix/smtpd[18639]: SSL_accept error from mailix.aer.de[212.202.242.130]: -1
> Apr 24 09:34:38 mail postfix/smtpd[18639]: lost connection after STARTTLS from mailix.aer.de[212.202.242.130]
> Apr 24 09:34:38 mail postfix/smtpd[18639]: disconnect from mailix.aer.de[212.202.242.130]
>

Anything on your side changed recently?

    # tcpdump -s 2000 -w ~/pkts tcp host 212.202.242.120

Then analyze with ssldump or wireshark. TLS *to* this IP works fine (but
it could be a NAT, with inbound SMTP handed off to a different host...)

smtp-finger: Connected to 212.202.242.130[212.202.242.130]:25
smtp-finger: < 220 mailix.aer.de ESMTP MDaemon 9.6.5; Tue, 06 May 2008 19:33:04 +0200
smtp-finger: > EHLO hqmtabh2.ms.com
smtp-finger: < 250-mailix.aer.de Hello hqmtabh2.ms.com, pleased to meet you
smtp-finger: < 250-ETRN
smtp-finger: < 250-AUTH=LOGIN
smtp-finger: < 250-AUTH LOGIN CRAM-MD5
smtp-finger: < 250-8BITMIME
smtp-finger: < 250-STARTTLS
smtp-finger: < 250 SIZE 0
smtp-finger: > STARTTLS
smtp-finger: < 220 Begin TLS negotiation
smtp-finger: certificate verification failed for 212.202.242.130[212.202.242.130]:25: self-signed certificate
smtp-finger: 212.202.242.130[212.202.242.130]:25 CommonName aerticket.ag
smtp-finger: 212.202.242.130[212.202.242.130]:25: Untrusted subject_CN=aerticket.ag, issuer_CN=aerticket.ag
smtp-finger: 212.202.242.130[212.202.242.130]:25 sha1 fingerprint 77:0F:0B:01:E0:EF:1F:38:59:6E:1A:1B:88:8D:97:79:B1:CD:AE:4E
smtp-finger: Untrusted TLS connection established to 212.202.242.130[212.202.242.130]:25: TLSv1 with cipher RC4-MD5 (128/128 bits)
---
Certificate chain
 0 s:/C=DE/O=AERTiCKET AG/CN=aerticket.ag
   i:/C=DE/O=AERTiCKET AG/CN=aerticket.ag
-----BEGIN CERTIFICATE-----
MIICNjCCAZ+gAwIBAgII+XD4GfXzPXwwDQYJKoZIhvcNAQEFBQAwOzELMAkGA1UE
BhMCREUxFTATBgNVBAoTDEFFUlRpQ0tFVCBBRzEVMBMGA1UEAxMMYWVydGlja2V0
LmFnMB4XDTA3MDYxMzA2MjUwOVoXDTExMDYxNDA2MjUwOVowOzELMAkGA1UEBhMC
REUxFTATBgNVBAoTDEFFUlRpQ0tFVCBBRzEVMBMGA1UEAxMMYWVydGlja2V0LmFn
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCVEssgFKTG+0Qh8n7FV6MFIhp
hzuCAinnLbIn0DNGCeNXX+OaolziX9pqLIv8DCMkoxJuVZu9RQPsEYxy2ASyAC8M
1C5+MS8vNcmHuBpP1AcG7sc+KDkvhD2qk0D0p/xAIMnaQkxsEItMBgPf5J1JoL1d
AsmThu9qNSQPeMM/2QIDAQABo0MwQTAdBgNVHQ4EFgQUZm139LCB4B4oi4rBnwAp
94HhFmAwCwYDVR0PBAQDAgK8MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3
DQEBBQUAA4GBAFO+15cOk5JMXwHVIEss4ogRFz5GElfr7vKPhAYELELmJCn0GlKD
vkGDxnxMdfaB5A8FkU18vXskEz3bd33WVskuOk/DdVidZ7bsO6gpGzoCsC0rTgEc
T3nlDkvVUT7UWgl5sxkiZwAZtMHXMiat2BAg1ayefqfliroqQyx0SOC0
-----END CERTIFICATE-----
smtp-finger: > QUIT
smtp-finger: < 221 See ya in cyberspace

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Some Windows SMTP Server have problems with STARTTLS

Ralf Hildebrandt
* Victor Duchovni <[hidden email]>:

> On Tue, May 06, 2008 at 02:23:13PM +0200, Ralf Hildebrandt wrote:
>
> > From my log on mail.charite.de:
> >
> > Apr 24 09:34:38 mail postfix/smtpd[18639]: connect from mailix.aer.de[212.202.242.130]
> > Apr 24 09:34:38 mail postfix/smtpd[18639]: SSL_accept error from mailix.aer.de[212.202.242.130]: -1
> > Apr 24 09:34:38 mail postfix/smtpd[18639]: lost connection after STARTTLS from mailix.aer.de[212.202.242.130]
> > Apr 24 09:34:38 mail postfix/smtpd[18639]: disconnect from mailix.aer.de[212.202.242.130]
> >
>
> Anything on your side changed recently?

update-certifcates on that day, when it broke
 
>     # tcpdump -s 2000 -w ~/pkts tcp host 212.202.242.120
>
> Then analyze with ssldump or wireshark. TLS *to* this IP works fine (but
> it could be a NAT, with inbound SMTP handed off to a different host...)

Indeed, to is no problem. But *to* us?!
Can you send to us ok?

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
Real programmers never work 9 to 5. If any real programmers are around
at 9 am, it's because they were up all night.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Some Windows SMTP Server have problems with STARTTLS

Victor Duchovni
On Tue, May 06, 2008 at 07:51:43PM +0200, Ralf Hildebrandt wrote:

> update-certifcates on that day, when it broke

Whose certificates? Yours? Your certicate trust chain is fairly (4) deep,
was it similar before? Do you still have your old cert trust chain? Your
new key is 2048 bits, was the old one also 2048 bits?

 0 s:/C=DE/O=Charite - Universitaetsmedizin Berlin/OU=Geschaeftsbereich Informationsmanagement/CN=mail-ausfall.charite.de
   i:/C=DE/O=Charite - Universitaetsmedizin Berlin/OU=IT-Zentrum/CN=Charite CA - G02/emailAddress=[hidden email]
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 188577004 (0xb3d74ec)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DE, O=Charite - Universitaetsmedizin Berlin, OU=IT-Zentrum, CN=Charite CA - G02/emailAddress=[hidden email]
        Validity
            Not Before: Oct 23 13:30:06 2007 GMT
            Not After : Oct 21 13:30:06 2012 GMT
        Subject: C=DE, O=Charite - Universitaetsmedizin Berlin, OU=Geschaeftsbereich Informationsmanagement, CN=mail-ausfall.charite.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:b8:1b:6b:8d:66:2a:b0:e3:a7:6b:e3:cc:ac:9a:
                    2b:a8:08:50:e1:90:3d:3f:da:ba:e8:44:a8:63:01:
                    9a:3d:46:93:ee:74:ed:6e:42:08:ee:df:d2:f6:8d:
                    36:29:0f:f4:55:f4:cc:4c:6d:6e:87:c0:8c:b8:4f:
                    47:09:5b:8f:ac:bd:4f:c7:56:ea:d7:18:40:0d:5a:
                    ef:1c:19:96:37:51:39:2d:ff:73:e3:71:d5:4b:75:
                    30:2b:02:0e:f9:f0:c2:52:4f:cd:cb:c7:f0:88:e0:
                    64:23:bd:86:8d:d2:d7:02:3a:b8:7e:23:5b:08:1f:
                    7f:1d:1c:b5:96:3e:76:90:65:a8:4d:2e:ca:fe:55:
                    d7:5b:1d:34:7b:6b:5e:68:8f:7c:96:b8:7b:ed:43:
                    77:d7:d9:d3:75:b4:00:07:cf:e0:fc:47:b6:2e:c4:
                    1c:a9:85:39:d3:07:6d:4e:c7:49:01:02:04:69:00:
                    af:6a:e1:5e:24:7f:82:12:da:13:03:f8:8b:06:31:
                    48:54:45:32:c8:32:a1:09:3d:8f:34:f7:c4:5b:a2:
                    e5:37:39:a1:0e:b1:b1:75:fc:30:aa:7f:f6:c5:c0:
                    6f:ed:82:0b:14:c9:aa:b9:9a:56:ee:8f:4f:52:e9:
                    6e:de:aa:44:4f:01:68:6b:38:c8:f6:3b:fb:ae:c0:
                    49:21
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Key Identifier:
                74:A6:19:B8:C3:2F:29:42:AF:29:84:64:77:31:A2:84:0A:D0:2D:4F
            X509v3 Authority Key Identifier:
                keyid:74:4A:0E:59:EA:22:31:7A:B8:EF:9A:07:92:4D:DF:D2:39:33:A9:C6

            X509v3 Subject Alternative Name:
                email:[hidden email]
            X509v3 CRL Distribution Points:
                URI:http://cdp1.pca.dfn.de/charite-ca/pub/crl/g_cacrl.crl
                URI:http://cdp2.pca.dfn.de/charite-ca/pub/crl/g_cacrl.crl

            Authority Information Access:
                CA Issuers - URI:http://cdp1.pca.dfn.de/charite-ca/pub/cacert/g_cacert.crt
                CA Issuers - URI:http://cdp2.pca.dfn.de/charite-ca/pub/cacert/g_cacert.crt

    Signature Algorithm: sha1WithRSAEncryption
        9e:28:0a:6d:8d:df:b6:25:6a:e5:a0:51:5f:70:b4:f9:62:89:
        3a:88:63:1a:5c:d8:a6:fa:a6:0e:7b:1e:70:98:e4:9e:5b:08:
        fc:91:eb:bf:51:c7:fc:de:76:a5:7a:ab:e0:71:9c:56:78:91:
        bf:77:e7:08:76:f7:f0:61:8a:29:81:e6:ac:e4:47:0e:eb:77:
        ba:00:34:47:ba:15:5e:77:e8:d5:57:5b:a5:81:53:93:7e:80:
        2d:dc:ef:7e:99:63:ad:02:74:2f:71:e6:bb:b5:c3:77:10:b5:
        97:76:00:31:98:f6:ba:68:f2:77:dc:f7:17:01:73:c7:f1:a1:
        17:12:b8:8b:4c:fb:5e:73:8d:74:ce:1b:40:df:16:cd:42:f7:
        f4:ac:51:7a:d3:e4:19:fe:93:d0:10:96:81:6d:c8:d7:4f:77:
        9f:7e:16:d7:10:56:66:eb:4b:0a:a7:87:ba:58:c4:cd:2e:e7:
        34:fd:cf:e2:36:af:c2:6a:21:9e:94:f6:46:eb:60:4f:c1:cc:
        74:3b:85:c6:e7:65:c4:26:d8:d0:ad:a4:6c:6c:ae:f6:e4:fa:
        69:28:48:79:73:e5:0b:54:fc:3e:3d:b1:c9:2b:7c:0d:e6:0c:
        14:00:bb:01:9c:33:0c:af:31:e4:7a:a5:54:9a:0c:29:9b:2e:
        b7:55:2a:92
-----BEGIN CERTIFICATE-----
MIIFZDCCBEygAwIBAgIECz107DANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMC
REUxLjAsBgNVBAoTJUNoYXJpdGUgLSBVbml2ZXJzaXRhZXRzbWVkaXppbiBCZXJs
aW4xEzARBgNVBAsTCklULVplbnRydW0xGTAXBgNVBAMTEENoYXJpdGUgQ0EgLSBH
MDIxHTAbBgkqhkiG9w0BCQEWDnBraUBjaGFyaXRlLmRlMB4XDTA3MTAyMzEzMzAw
NloXDTEyMTAyMTEzMzAwNlowgZIxCzAJBgNVBAYTAkRFMS4wLAYDVQQKEyVDaGFy
aXRlIC0gVW5pdmVyc2l0YWV0c21lZGl6aW4gQmVybGluMTEwLwYDVQQLEyhHZXNj
aGFlZnRzYmVyZWljaCBJbmZvcm1hdGlvbnNtYW5hZ2VtZW50MSAwHgYDVQQDExdt
YWlsLWF1c2ZhbGwuY2hhcml0ZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALgba41mKrDjp2vjzKyaK6gIUOGQPT/auuhEqGMBmj1Gk+507W5CCO7f
0vaNNikP9FX0zExtbofAjLhPRwlbj6y9T8dW6tcYQA1a7xwZljdROS3/c+Nx1Ut1
MCsCDvnwwlJPzcvH8IjgZCO9ho3S1wI6uH4jWwgffx0ctZY+dpBlqE0uyv5V11sd
NHtrXmiPfJa4e+1Dd9fZ03W0AAfP4PxHti7EHKmFOdMHbU7HSQECBGkAr2rhXiR/
ghLaEwP4iwYxSFRFMsgyoQk9jzT3xFui5Tc5oQ6xsXX8MKp/9sXAb+2CCxTJqrma
Vu6PT1Lpbt6qRE8BaGs4yPY7+67ASSECAwEAAaOCAcQwggHAMAkGA1UdEwQCMAAw
CwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNV
HQ4EFgQUdKYZuMMvKUKvKYRkdzGihArQLU8wHwYDVR0jBBgwFoAUdEoOWeoiMXq4
75oHkk3f0jkzqcYwIAYDVR0RBBkwF4EVcG9zdG1hc3RlckBjaGFyaXRlLmRlMIGD
BgNVHR8EfDB6MDugOaA3hjVodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2NoYXJpdGUt
Y2EvcHViL2NybC9nX2NhY3JsLmNybDA7oDmgN4Y1aHR0cDovL2NkcDIucGNhLmRm
bi5kZS9jaGFyaXRlLWNhL3B1Yi9jcmwvZ19jYWNybC5jcmwwgZ4GCCsGAQUFBwEB
BIGRMIGOMEUGCCsGAQUFBzAChjlodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2NoYXJp
dGUtY2EvcHViL2NhY2VydC9nX2NhY2VydC5jcnQwRQYIKwYBBQUHMAKGOWh0dHA6
Ly9jZHAyLnBjYS5kZm4uZGUvY2hhcml0ZS1jYS9wdWIvY2FjZXJ0L2dfY2FjZXJ0
LmNydDANBgkqhkiG9w0BAQUFAAOCAQEAnigKbY3ftiVq5aBRX3C0+WKJOohjGlzY
pvqmDnsecJjknlsI/JHrv1HH/N52pXqr4HGcVniRv3fnCHb38GGKKYHmrORHDut3
ugA0R7oVXnfo1VdbpYFTk36ALdzvfpljrQJ0L3Hmu7XDdxC1l3YAMZj2umjyd9z3
FwFzx/GhFxK4i0z7XnONdM4bQN8WzUL39KxRetPkGf6T0BCWgW3I1093n34W1xBW
ZutLCqeHuljEzS7nNP3P4javwmohnpT2RutgT8HMdDuFxudlxCbY0K2kbGyu9uT6
aShIeXPlC1T8Pj2xySt8DeYMFAC7AZwzDK8x5HqlVJoMKZsut1Uqkg==
-----END CERTIFICATE-----
 1 s:/C=DE/O=Charite - Universitaetsmedizin Berlin/OU=IT-Zentrum/CN=Charite CA - G02/emailAddress=[hidden email]
   i:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 166884599 (0x9f274f7)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DE, O=DFN-Verein, OU=DFN-PKI, CN=DFN-Verein PCA Global - G01
        Validity
            Not Before: Feb 14 11:50:00 2007 GMT
            Not After : Feb 13 00:00:00 2019 GMT
        Subject: C=DE, O=Charite - Universitaetsmedizin Berlin, OU=IT-Zentrum, CN=Charite CA - G02/emailAddress=[hidden email]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c4:fb:9b:fd:43:25:6a:77:41:ba:a4:a2:94:b6:
                    13:12:ca:ec:45:03:b7:f5:3c:54:6d:8f:e7:c8:42:
                    9a:6d:6a:13:06:60:2e:4d:65:f0:0d:aa:ee:63:06:
                    68:5c:8a:c9:6e:cf:fb:28:aa:b1:05:ca:fa:63:cd:
                    7e:21:92:39:45:7d:da:17:04:42:e8:76:cf:8c:1f:
                    a8:c7:16:9f:b0:76:19:be:9e:7a:8c:3f:29:9d:3e:
                    5b:2e:e6:b1:df:38:c7:5f:fc:98:78:c1:54:b8:62:
                    27:f5:b3:7e:ab:88:d2:e4:2e:39:29:77:e7:97:24:
                    f7:21:e6:03:07:58:80:68:46:89:35:0d:71:cc:52:
                    08:2a:84:52:aa:90:d9:02:83:29:66:cf:a3:33:5b:
                    e5:e1:bb:95:64:35:19:ee:0a:f5:3d:13:30:02:da:
                    08:d4:65:16:6b:91:30:99:54:39:66:17:f6:c6:85:
                    4b:0a:ab:65:a5:16:39:4e:fc:3c:c6:9c:ec:c9:c4:
                    2f:e6:6f:83:de:06:fa:cb:4d:21:27:39:cd:08:26:
                    90:15:e4:06:91:49:c1:92:07:b6:78:db:d3:c0:e4:
                    00:05:a8:6b:c0:d7:34:3f:5e:28:78:5d:e7:f0:f6:
                    f4:67:c9:73:01:b5:0e:37:8e:14:2f:eb:d2:de:8e:
                    2c:63
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                74:4A:0E:59:EA:22:31:7A:B8:EF:9A:07:92:4D:DF:D2:39:33:A9:C6
            X509v3 Authority Key Identifier:
                keyid:49:B7:C6:CF:E8:3D:1F:7F:EA:44:7B:13:29:F7:F1:0A:70:3E:DE:64

            X509v3 Subject Alternative Name:
                email:[hidden email]
            X509v3 CRL Distribution Points:
                URI:http://cdp1.pca.dfn.de/global-root-ca/pub/crl/cacrl.crl
                URI:http://cdp2.pca.dfn.de/global-root-ca/pub/crl/cacrl.crl

            Authority Information Access:
                CA Issuers - URI:http://cdp1.pca.dfn.de/global-root-ca/pub/cacert/cacert.crt
                CA Issuers - URI:http://cdp2.pca.dfn.de/global-root-ca/pub/cacert/cacert.crt

    Signature Algorithm: sha1WithRSAEncryption
        29:da:04:bb:3a:03:54:1e:7b:db:da:79:c0:30:9d:a3:2f:c9:
        1e:d5:5a:46:78:a1:a8:d6:cd:01:d9:06:e4:d7:58:79:02:23:
        f4:10:29:cb:95:9a:33:91:38:00:6d:50:f3:31:8d:93:9e:0f:
        2e:61:fb:07:79:ab:9b:23:b2:6f:86:3d:ed:c7:58:52:03:b9:
        54:19:93:31:98:a2:cb:a8:da:e6:9b:4e:30:fa:aa:1f:3b:d9:
        39:b6:2b:67:f7:82:10:22:50:98:0f:fe:ef:07:a9:a2:d6:c0:
        9e:d8:27:48:f8:d3:26:40:da:b0:3b:e2:42:53:3d:27:e0:49:
        ba:cb:91:da:31:d6:6f:f5:e5:07:fc:85:a6:13:00:19:a6:07:
        6a:b3:76:b6:0e:62:e0:71:87:d7:47:23:80:14:54:3f:37:ce:
        c5:04:c2:ac:ba:77:ea:f6:06:cd:91:81:f7:61:51:5c:cf:78:
        51:8a:28:86:72:c8:83:e0:4c:f1:e9:8a:83:2f:ec:30:b4:a3:
        1b:d3:76:d3:3f:bb:8e:7d:5a:1b:be:9b:ca:80:65:20:6c:bd:
        f7:ec:b9:be:0a:ff:b0:6e:17:ad:64:df:1b:59:89:82:7b:26:
        a0:6f:79:ee:59:b2:bb:e9:04:e9:5d:74:bc:cc:86:76:68:86:
        60:2a:77:8c
-----BEGIN CERTIFICATE-----
MIIFFDCCA/ygAwIBAgIECfJ09zANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJE
RTETMBEGA1UEChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIGA1UE
AxMbREZOLVZlcmVpbiBQQ0EgR2xvYmFsIC0gRzAxMB4XDTA3MDIxNDExNTAwMFoX
DTE5MDIxMzAwMDAwMFowgYwxCzAJBgNVBAYTAkRFMS4wLAYDVQQKEyVDaGFyaXRl
IC0gVW5pdmVyc2l0YWV0c21lZGl6aW4gQmVybGluMRMwEQYDVQQLEwpJVC1aZW50
cnVtMRkwFwYDVQQDExBDaGFyaXRlIENBIC0gRzAyMR0wGwYJKoZIhvcNAQkBFg5w
a2lAY2hhcml0ZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMT7
m/1DJWp3QbqkopS2ExLK7EUDt/U8VG2P58hCmm1qEwZgLk1l8A2q7mMGaFyKyW7P
+yiqsQXK+mPNfiGSOUV92hcEQuh2z4wfqMcWn7B2Gb6eeow/KZ0+Wy7msd84x1/8
mHjBVLhiJ/WzfquI0uQuOSl355ck9yHmAwdYgGhGiTUNccxSCCqEUqqQ2QKDKWbP
ozNb5eG7lWQ1Ge4K9T0TMALaCNRlFmuRMJlUOWYX9saFSwqrZaUWOU78PMac7MnE
L+Zvg94G+stNISc5zQgmkBXkBpFJwZIHtnjb08DkAAWoa8DXND9eKHhd5/D29GfJ
cwG1DjeOFC/r0t6OLGMCAwEAAaOCAa0wggGpMA8GA1UdEwEB/wQFMAMBAf8wCwYD
VR0PBAQDAgEGMB0GA1UdDgQWBBR0Sg5Z6iIxerjvmgeSTd/SOTOpxjAfBgNVHSME
GDAWgBRJt8bP6D0ff+pEexMp9/EKcD7eZDAZBgNVHREEEjAQgQ5wa2lAY2hhcml0
ZS5kZTCBiAYDVR0fBIGAMH4wPaA7oDmGN2h0dHA6Ly9jZHAxLnBjYS5kZm4uZGUv
Z2xvYmFsLXJvb3QtY2EvcHViL2NybC9jYWNybC5jcmwwPaA7oDmGN2h0dHA6Ly9j
ZHAyLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NybC9jYWNybC5jcmww
gaIGCCsGAQUFBwEBBIGVMIGSMEcGCCsGAQUFBzAChjtodHRwOi8vY2RwMS5wY2Eu
ZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDBHBggr
BgEFBQcwAoY7aHR0cDovL2NkcDIucGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1jYS9w
dWIvY2FjZXJ0L2NhY2VydC5jcnQwDQYJKoZIhvcNAQEFBQADggEBACnaBLs6A1Qe
e9vaecAwnaMvyR7VWkZ4oajWzQHZBuTXWHkCI/QQKcuVmjOROABtUPMxjZOeDy5h
+wd5q5sjsm+GPe3HWFIDuVQZkzGYosuo2uabTjD6qh872Tm2K2f3ghAiUJgP/u8H
qaLWwJ7YJ0j40yZA2rA74kJTPSfgSbrLkdox1m/15Qf8haYTABmmB2qzdrYOYuBx
h9dHI4AUVD83zsUEwqy6d+r2Bs2RgfdhUVzPeFGKKIZyyIPgTPHpioMv7DC0oxvT
dtM/u459Whu+m8qAZSBsvffsub4K/7BuF61k3xtZiYJ7JqBvee5ZsrvpBOlddLzM
hnZohmAqd4w=
-----END CERTIFICATE-----
 2 s:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
   i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 199 (0xc7)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2
        Validity
            Not Before: Dec 19 10:29:00 2006 GMT
            Not After : Jun 30 23:59:00 2019 GMT
        Subject: C=DE, O=DFN-Verein, OU=DFN-PKI, CN=DFN-Verein PCA Global - G01
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:e9:9b:c3:67:85:f9:0d:ae:f5:8d:54:c3:96:50:
                    35:3d:62:e9:6e:4c:ed:94:d7:00:5b:95:22:74:d4:
                    20:eb:34:8f:d6:ec:c0:31:04:0b:99:81:e2:a6:14:
                    d2:52:a0:28:23:84:8b:74:89:04:5e:5b:e0:e2:78:
                    c1:78:cb:16:cb:28:35:39:7b:2d:90:45:d0:ed:a0:
                    00:7a:7c:bf:4a:0e:1b:00:c3:86:e9:5c:2b:31:11:
                    7b:0c:f3:82:24:43:8c:1c:38:8b:6a:68:00:9a:ee:
                    dc:4f:78:ab:d2:c6:13:9b:76:ad:ee:de:26:e8:ef:
                    01:af:74:0f:c1:09:a2:f6:6b:ce:bd:d3:cd:14:30:
                    4f:f5:e5:e3:a4:c8:62:9b:82:1a:03:27:30:0d:02:
                    65:60:4d:ed:d1:09:23:2a:96:35:58:27:d3:76:c6:
                    71:b6:90:1d:c4:ed:ff:35:86:7d:6f:33:b3:db:0f:
                    c5:11:c2:8a:83:a1:94:5d:41:6b:d8:d2:10:f5:4c:
                    fd:ca:51:ac:d9:bd:ef:92:83:bb:da:eb:8b:16:56:
                    56:43:cf:e1:d5:13:3d:a6:1f:27:30:cd:49:54:db:
                    c9:13:34:9a:71:75:c5:6c:ea:a7:0b:98:f9:21:9d:
                    27:af:3e:a3:39:39:48:6a:8c:ad:c9:99:fb:c3:12:
                    f2:bd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 CRL Distribution Points:
                URI:http://pki.telesec.de/cgi-bin/service/af_DownloadARL.crl?-crl_format=X_509&-issuer=DT_ROOT_CA_2

            X509v3 Subject Key Identifier:
                49:B7:C6:CF:E8:3D:1F:7F:EA:44:7B:13:29:F7:F1:0A:70:3E:DE:64
            X509v3 Authority Key Identifier:
                keyid:31:C3:79:1B:BA:F5:53:D7:17:E0:89:7A:2D:17:6C:0A:B3:2B:9D:33

            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:2
    Signature Algorithm: sha1WithRSAEncryption
        3b:e1:5a:77:c0:48:17:dc:a9:18:ec:81:af:5a:89:f0:bd:28:
        92:a6:ca:59:18:12:70:ec:28:f2:e7:ae:7f:96:2c:e7:f2:5d:
        19:31:f6:13:2b:74:bd:bd:80:b2:b9:f7:67:c9:39:a2:79:3b:
        e1:11:11:ee:6b:78:91:33:7e:3b:5f:26:27:75:53:65:8e:33:
        63:ee:cf:73:c3:b0:92:23:49:21:50:75:23:a1:1f:18:e2:94:
        85:3d:3f:33:e9:77:20:8d:a2:bd:e6:a1:85:29:40:f6:3f:73:
        32:58:0d:09:6b:a6:da:85:6c:c0:3f:bb:8d:66:64:56:24:4e:
        ae:0d:3f:32:35:01:5b:e9:8c:82:d9:72:59:4f:b1:86:85:f1:
        74:85:56:e5:c3:f8:5c:f3:8d:ee:47:b3:53:05:70:e7:e5:4d:
        8a:69:83:28:e1:13:09:86:9e:5e:c8:ea:58:1e:0c:1f:f9:a4:
        d4:5a:04:68:fd:28:3e:8b:02:b6:58:b5:f6:a1:2c:37:57:00:
        67:ab:23:68:8d:63:a5:ef:99:6b:5c:fd:4b:56:f6:ab:40:87:
        34:d4:11:92:6c:ec:87:c5:0a:0b:07:33:72:b4:6f:0c:1d:54:
        2c:d8:51:c7:cc:bf:30:d3:43:72:f1:32:bf:8c:ce:49:63:a8:
        00:f7:f2:1c
-----BEGIN CERTIFICATE-----
MIIEITCCAwmgAwIBAgICAMcwDQYJKoZIhvcNAQEFBQAwcTELMAkGA1UEBhMCREUx
HDAaBgNVBAoTE0RldXRzY2hlIFRlbGVrb20gQUcxHzAdBgNVBAsTFlQtVGVsZVNl
YyBUcnVzdCBDZW50ZXIxIzAhBgNVBAMTGkRldXRzY2hlIFRlbGVrb20gUm9vdCBD
QSAyMB4XDTA2MTIxOTEwMjkwMFoXDTE5MDYzMDIzNTkwMFowWjELMAkGA1UEBhMC
REUxEzARBgNVBAoTCkRGTi1WZXJlaW4xEDAOBgNVBAsTB0RGTi1QS0kxJDAiBgNV
BAMTG0RGTi1WZXJlaW4gUENBIEdsb2JhbCAtIEcwMTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAOmbw2eF+Q2u9Y1Uw5ZQNT1i6W5M7ZTXAFuVInTUIOs0
j9bswDEEC5mB4qYU0lKgKCOEi3SJBF5b4OJ4wXjLFssoNTl7LZBF0O2gAHp8v0oO
GwDDhulcKzERewzzgiRDjBw4i2poAJru3E94q9LGE5t2re7eJujvAa90D8EJovZr
zr3TzRQwT/Xl46TIYpuCGgMnMA0CZWBN7dEJIyqWNVgn03bGcbaQHcTt/zWGfW8z
s9sPxRHCioOhlF1Ba9jSEPVM/cpRrNm975KDu9rrixZWVkPP4dUTPaYfJzDNSVTb
yRM0mnF1xWzqpwuY+SGdJ68+ozk5SGqMrcmZ+8MS8r0CAwEAAaOB2TCB1jBwBgNV
HR8EaTBnMGWgY6Bhhl9odHRwOi8vcGtpLnRlbGVzZWMuZGUvY2dpLWJpbi9zZXJ2
aWNlL2FmX0Rvd25sb2FkQVJMLmNybD8tY3JsX2Zvcm1hdD1YXzUwOSYtaXNzdWVy
PURUX1JPT1RfQ0FfMjAdBgNVHQ4EFgQUSbfGz+g9H3/qRHsTKffxCnA+3mQwHwYD
VR0jBBgwFoAUMcN5G7r1U9cX4Il6LRdsCrMrnTMwDgYDVR0PAQH/BAQDAgEGMBIG
A1UdEwEB/wQIMAYBAf8CAQIwDQYJKoZIhvcNAQEFBQADggEBADvhWnfASBfcqRjs
ga9aifC9KJKmylkYEnDsKPLnrn+WLOfyXRkx9hMrdL29gLK592fJOaJ5O+EREe5r
eJEzfjtfJid1U2WOM2Puz3PDsJIjSSFQdSOhHxjilIU9PzPpdyCNor3moYUpQPY/
czJYDQlrptqFbMA/u41mZFYkTq4NPzI1AVvpjILZcllPsYaF8XSFVuXD+Fzzje5H
s1MFcOflTYppgyjhEwmGnl7I6lgeDB/5pNRaBGj9KD6LArZYtfahLDdXAGerI2iN
Y6XvmWtc/UtW9qtAhzTUEZJs7IfFCgsHM3K0bwwdVCzYUcfMvzDTQ3LxMr+Mzklj
qAD38hw=
-----END CERTIFICATE-----
 3 s:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
   i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 38 (0x26)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2
        Validity
            Not Before: Jul  9 12:11:00 1999 GMT
            Not After : Jul  9 23:59:00 2019 GMT
        Subject: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ab:0b:a3:35:e0:8b:29:14:b1:14:85:af:3c:10:
                    e4:39:6f:35:5d:4a:ae:dd:ea:61:8d:95:49:f4:6f:
                    64:a3:1a:60:66:a4:a9:40:22:84:d9:d4:a5:e5:78:
                    93:0e:68:01:ad:b9:4d:5c:3a:ce:d3:b8:a8:42:40:
                    df:cf:a3:ba:82:59:6a:92:1b:ac:1c:9a:da:08:2b:
                    25:27:f9:69:23:47:f1:e0:eb:2c:7a:9b:f5:13:02:
                    d0:7e:34:7c:c2:9e:3c:00:59:ab:f5:da:0c:f5:32:
                    3c:2b:ac:50:da:d6:c3:de:83:94:ca:a8:0c:99:32:
                    0e:08:48:56:5b:6a:fb:da:e1:58:58:01:49:5f:72:
                    41:3c:15:06:01:8e:5d:ad:aa:b8:93:b4:cd:9e:eb:
                    a7:e8:6a:2d:52:34:db:3a:ef:5c:75:51:da:db:f3:
                    31:f9:ee:71:98:32:c4:54:15:44:0c:f9:9b:55:ed:
                    ad:df:18:08:a0:a3:86:8a:49:ee:53:05:8f:19:4c:
                    d5:de:58:79:9b:d2:6a:1c:42:ab:c5:d5:a7:cf:68:
                    0f:96:e4:e1:61:98:76:61:c8:91:7c:d6:3e:00:e2:
                    91:50:87:e1:9d:0a:e6:ad:97:d2:1d:c6:3a:7d:cb:
                    bc:da:03:34:d5:8e:5b:01:f5:6a:07:b7:16:b6:6e:
                    4a:7f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                31:C3:79:1B:BA:F5:53:D7:17:E0:89:7A:2D:17:6C:0A:B3:2B:9D:33
            X509v3 Basic Constraints:
                CA:TRUE, pathlen:5
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
    Signature Algorithm: sha1WithRSAEncryption
        94:64:59:ad:39:64:e7:29:eb:13:fe:5a:c3:8b:13:57:c8:04:
        24:f0:74:77:c0:60:e3:67:fb:e9:89:a6:83:bf:96:82:7c:6e:
        d4:c3:3d:ef:9e:80:6e:bb:29:b4:98:7a:b1:3b:54:eb:39:17:
        47:7e:1a:8e:0b:fc:1f:31:59:31:04:b2:ce:17:f3:2c:c7:62:
        36:55:e2:22:d8:89:55:b4:98:48:aa:64:fa:d6:1c:36:d8:44:
        78:5a:5a:23:3a:57:97:f5:7a:30:4f:ae:9f:6a:4c:4b:2b:8e:
        a0:03:e3:3e:e0:a9:d4:d2:7b:d2:b3:a8:e2:72:3c:ad:9e:ff:
        80:59:e4:9b:45:b4:f6:3b:b0:cd:39:19:98:32:e5:ea:21:61:
        90:e4:31:21:8e:34:b1:f7:2f:35:4a:85:10:da:e7:8a:37:21:
        be:59:63:e0:f2:85:88:31:53:d4:54:14:85:70:79:f4:2e:06:
        77:27:75:2f:1f:b8:8a:f9:fe:c5:ba:d8:36:e4:83:ec:e7:65:
        b7:bf:63:5a:f3:46:af:81:94:37:d4:41:8c:d6:23:d6:1e:cf:
        f5:68:1b:44:63:a2:5a:ba:a7:35:59:a1:e5:70:05:9b:0e:23:
        57:99:94:0a:6d:ba:39:63:28:86:92:f3:18:84:d8:fb:d1:cf:
        05:56:64:57
-----BEGIN CERTIFICATE-----
MIIDnzCCAoegAwIBAgIBJjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJERTEc
MBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2Vj
IFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENB
IDIwHhcNOTkwNzA5MTIxMTAwWhcNMTkwNzA5MjM1OTAwWjBxMQswCQYDVQQGEwJE
RTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxl
U2VjIFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290
IENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrC6M14IspFLEU
ha88EOQ5bzVdSq7d6mGNlUn0b2SjGmBmpKlAIoTZ1KXleJMOaAGtuU1cOs7TuKhC
QN/Po7qCWWqSG6wcmtoIKyUn+WkjR/Hg6yx6m/UTAtB+NHzCnjwAWav12gz1Mjwr
rFDa1sPeg5TKqAyZMg4ISFZbavva4VhYAUlfckE8FQYBjl2tqriTtM2e66foai1S
NNs671x1Udrb8zH57nGYMsRUFUQM+ZtV7a3fGAigo4aKSe5TBY8ZTNXeWHmb0moc
QqvF1afPaA+W5OFhmHZhyJF81j4A4pFQh+GdCuatl9Idxjp9y7zaAzTVjlsB9WoH
txa2bkp/AgMBAAGjQjBAMB0GA1UdDgQWBBQxw3kbuvVT1xfgiXotF2wKsyudMzAP
BgNVHRMECDAGAQH/AgEFMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOC
AQEAlGRZrTlk5ynrE/5aw4sTV8gEJPB0d8Bg42f76Ymmg7+Wgnxu1MM9756Abrsp
tJh6sTtU6zkXR34ajgv8HzFZMQSyzhfzLMdiNlXiItiJVbSYSKpk+tYcNthEeFpa
IzpXl/V6ME+un2pMSyuOoAPjPuCp1NJ70rOo4nI8rZ7/gFnkm0W09juwzTkZmDLl
6iFhkOQxIY40sfcvNUqFENrnijchvllj4PKFiDFT1FQUhXB59C4Gdyd1Lx+4ivn+
xbrYNuSD7Odlt79jWvNGr4GUN9RBjNYj1h7P9WgbRGOiWrqnNVmh5XAFmw4jV5mU
Cm26OWMohpLzGITY+9HPBVZkVw==
-----END CERTIFICATE-----


--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Some Windows SMTP Server have problems with STARTTLS

Ralf Hildebrandt
* Victor Duchovni <[hidden email]>:
> On Tue, May 06, 2008 at 07:51:43PM +0200, Ralf Hildebrandt wrote:
>
> > update-certifcates on that day, when it broke
>
> Whose certificates? Yours?

Yes

> Your certicate trust chain is fairly (4) deep,

I blame the DFN-PCA :)

> was it similar before?

Yes.

> Do you still have your old cert trust chain? Your new key is 2048 bits,
> was the old one also 2048 bits?

I'd have to check that.

But my server does return all intermediate certificates, and all looks
kosher so far?


--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
Al Gore invented the Internet, Bill Gates deployed it. That's their
respective stories, anyways
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Some Windows SMTP Server have problems with STARTTLS

Victor Duchovni
On Tue, May 06, 2008 at 11:08:21PM +0200, Ralf Hildebrandt wrote:

> > Your certicate trust chain is fairly (4) deep,
>
> I blame the DFN-PCA :)
>
> > was it similar before?
>
> Yes.

How similar?

> > Do you still have your old cert trust chain? Your new key is 2048 bits,
> > was the old one also 2048 bits?
>
> I'd have to check that.
>
> But my server does return all intermediate certificates, and all looks
> kosher so far?

One more thing, two of the certificates in your trust chain have "path
length" contraints marked "critical". If the connecting software does
not "grok" path length constraints (or misbehaves when the root CA has
a path limit of 5 and the CA below that a limit of 2) that could explain
the problem also.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Some Windows SMTP Server have problems with STARTTLS

Ralf Hildebrandt
* Victor Duchovni <[hidden email]>:

> On Tue, May 06, 2008 at 11:08:21PM +0200, Ralf Hildebrandt wrote:
>
> > > Your certicate trust chain is fairly (4) deep,
> >
> > I blame the DFN-PCA :)
> >
> > > was it similar before?
> >
> > Yes.
>
> How similar?

Before: DFN-PCA -> Charite-CA -> host cert
Now:    Telekom-CA -> DFN-PCA -> Charite-CA -> host cert

> One more thing, two of the certificates in your trust chain have "path
> length" contraints marked "critical". If the connecting software does
> not "grok" path length constraints (or misbehaves when the root CA has
> a path limit of 5 and the CA below that a limit of 2) that could explain
> the problem also.

Path limit? That's the max depth of the trust chain?

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
Of course it doesn't work, but look how fast it is!
                                            -- fefe
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Some Windows SMTP Server have problems with STARTTLS

Victor Duchovni
On Wed, May 07, 2008 at 11:46:32AM +0200, Ralf Hildebrandt wrote:

> > How similar?
>
> Before: DFN-PCA -> Charite-CA -> host cert
> Now:    Telekom-CA -> DFN-PCA -> Charite-CA -> host cert

Do you have the old cert chain? Are you willing to post the 3 .pem files
in question? Were these 1024 or 2048 bit certs?

> > One more thing, two of the certificates in your trust chain have "path
> > length" contraints marked "critical". If the connecting software does
> > not "grok" path length constraints (or misbehaves when the root CA has
> > a path limit of 5 and the CA below that a limit of 2) that could explain
> > the problem also.
>
> Path limit? That's the max depth of the trust chain?

There are static administrative depth limits in verifiers (Postfix uses
9), but this is different.

In this case the Telecom-CA specifies an X.509 path length limit of
5 which invalidates any trust chain with more than 5 intermediate CAs
between the root and the final certificate. The extension specifying
this property is marked "critical", so clients that don't support it
must abort the handshake.

Additionally, the DFN-PCA specifies a path length limit of 2, which means
at most two intermediate CAs between it and the final cert. Poorly written
TLS implementations could get confused by two different path lengths.

Finally, the problem could be somewhere else... If the only thing that
changed recently is your cert, it certainly makes sense to focus on that
for now, but do get that "tcpdump" capture...

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Some Windows SMTP Server have problems with STARTTLS

Ralf Hildebrandt
* Victor Duchovni <[hidden email]>:

> > Before: DFN-PCA -> Charite-CA -> host cert
> > Now:    Telekom-CA -> DFN-PCA -> Charite-CA -> host cert
>
> Do you have the old cert chain? Are you willing to post the 3 .pem files
> in question? Were these 1024 or 2048 bit certs?

Working on that.

Last night I weeded out out /etc/ssl/certs structure and removed
duplicate certificates and old certificates and all that.

After that, TLS would work again, even for those who previously
couldn't use it!

Side note: Another admin contacted me, he was also using mdaemon on
Windows.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Some Windows SMTP Server have problems with STARTTLS

Victor Duchovni
On Thu, May 08, 2008 at 11:43:59AM +0200, Ralf Hildebrandt wrote:

> Last night I weeded out out /etc/ssl/certs structure and removed
> duplicate certificates and old certificates and all that.
>
> After that, TLS would work again, even for those who previously
> couldn't use it!

You broke your trust chain, now you are presenting just your server
certificate with none of the intermediate CA certs. Now add your
CA certs, from the bottom up, one at a time, starting with the
Charite CA. Append the CA cert(s) to your server cert file.

Test for a while after adding each cert and see which cert (camel straw :-)
breaks the MDAEMON systems.

smtp-finger: initializing the client-side TLS engine
smtp-finger: Connected to 193.175.70.131[193.175.70.131]:25
smtp-finger: < 220 mail-ausfall.charite.de ESMTP
smtp-finger: > EHLO hqmtabh2.ms.com
smtp-finger: < 250-mail-ausfall.charite.de
smtp-finger: < 250-PIPELINING
smtp-finger: < 250-SIZE 20971520
smtp-finger: < 250-ETRN
smtp-finger: < 250-STARTTLS
smtp-finger: < 250-ENHANCEDSTATUSCODES
smtp-finger: < 250-8BITMIME
smtp-finger: < 250 DSN
smtp-finger: > STARTTLS
smtp-finger: < 220 2.0.0 Ready to start TLS
smtp-finger: setting up TLS connection to 193.175.70.131[193.175.70.131]:25
smtp-finger: 193.175.70.131[193.175.70.131]:25: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL"
smtp-finger: 193.175.70.131[193.175.70.131]:25: certificate verification depth=0 verify=0 subject=/C=DE/O=Charite - Universitaetsmedizin Berlin/OU=Geschaeftsbereich Informationsmanagement/CN=mail-ausfall.charite.de
smtp-finger: certificate verification failed for 193.175.70.131[193.175.70.131]:25: untrusted issuer /C=DE/O=Charite - Universitaetsmedizin Berlin/OU=IT-Zentrum/CN=Charite CA - G02/emailAddress=[hidden email]
smtp-finger: 193.175.70.131[193.175.70.131]:25: certificate verification depth=0 verify=0 subject=/C=DE/O=Charite - Universitaetsmedizin Berlin/OU=Geschaeftsbereich Informationsmanagement/CN=mail-ausfall.charite.de
smtp-finger: 193.175.70.131[193.175.70.131]:25: certificate verification depth=0 verify=0 subject=/C=DE/O=Charite - Universitaetsmedizin Berlin/OU=Geschaeftsbereich Informationsmanagement/CN=mail-ausfall.charite.de
smtp-finger: 193.175.70.131[193.175.70.131]:25 sha1 fingerprint B1:E3:23:52:FC:3C:96:55:5E:59:74:F1:73:3B:8E:53:F9:0F:B3:87
smtp-finger: Untrusted TLS connection established to 193.175.70.131[193.175.70.131]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
---
Certificate chain
 0 s:/C=DE/O=Charite - Universitaetsmedizin Berlin/OU=Geschaeftsbereich Informationsmanagement/CN=mail-ausfall.charite.de
   i:/C=DE/O=Charite - Universitaetsmedizin Berlin/OU=IT-Zentrum/CN=Charite CA - G02/emailAddress=[hidden email]
-----BEGIN CERTIFICATE-----
MIIFZDCCBEygAwIBAgIECz107DANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMC
REUxLjAsBgNVBAoTJUNoYXJpdGUgLSBVbml2ZXJzaXRhZXRzbWVkaXppbiBCZXJs
aW4xEzARBgNVBAsTCklULVplbnRydW0xGTAXBgNVBAMTEENoYXJpdGUgQ0EgLSBH
MDIxHTAbBgkqhkiG9w0BCQEWDnBraUBjaGFyaXRlLmRlMB4XDTA3MTAyMzEzMzAw
NloXDTEyMTAyMTEzMzAwNlowgZIxCzAJBgNVBAYTAkRFMS4wLAYDVQQKEyVDaGFy
aXRlIC0gVW5pdmVyc2l0YWV0c21lZGl6aW4gQmVybGluMTEwLwYDVQQLEyhHZXNj
aGFlZnRzYmVyZWljaCBJbmZvcm1hdGlvbnNtYW5hZ2VtZW50MSAwHgYDVQQDExdt
YWlsLWF1c2ZhbGwuY2hhcml0ZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALgba41mKrDjp2vjzKyaK6gIUOGQPT/auuhEqGMBmj1Gk+507W5CCO7f
0vaNNikP9FX0zExtbofAjLhPRwlbj6y9T8dW6tcYQA1a7xwZljdROS3/c+Nx1Ut1
MCsCDvnwwlJPzcvH8IjgZCO9ho3S1wI6uH4jWwgffx0ctZY+dpBlqE0uyv5V11sd
NHtrXmiPfJa4e+1Dd9fZ03W0AAfP4PxHti7EHKmFOdMHbU7HSQECBGkAr2rhXiR/
ghLaEwP4iwYxSFRFMsgyoQk9jzT3xFui5Tc5oQ6xsXX8MKp/9sXAb+2CCxTJqrma
Vu6PT1Lpbt6qRE8BaGs4yPY7+67ASSECAwEAAaOCAcQwggHAMAkGA1UdEwQCMAAw
CwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNV
HQ4EFgQUdKYZuMMvKUKvKYRkdzGihArQLU8wHwYDVR0jBBgwFoAUdEoOWeoiMXq4
75oHkk3f0jkzqcYwIAYDVR0RBBkwF4EVcG9zdG1hc3RlckBjaGFyaXRlLmRlMIGD
BgNVHR8EfDB6MDugOaA3hjVodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2NoYXJpdGUt
Y2EvcHViL2NybC9nX2NhY3JsLmNybDA7oDmgN4Y1aHR0cDovL2NkcDIucGNhLmRm
bi5kZS9jaGFyaXRlLWNhL3B1Yi9jcmwvZ19jYWNybC5jcmwwgZ4GCCsGAQUFBwEB
BIGRMIGOMEUGCCsGAQUFBzAChjlodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2NoYXJp
dGUtY2EvcHViL2NhY2VydC9nX2NhY2VydC5jcnQwRQYIKwYBBQUHMAKGOWh0dHA6
Ly9jZHAyLnBjYS5kZm4uZGUvY2hhcml0ZS1jYS9wdWIvY2FjZXJ0L2dfY2FjZXJ0
LmNydDANBgkqhkiG9w0BAQUFAAOCAQEAnigKbY3ftiVq5aBRX3C0+WKJOohjGlzY
pvqmDnsecJjknlsI/JHrv1HH/N52pXqr4HGcVniRv3fnCHb38GGKKYHmrORHDut3
ugA0R7oVXnfo1VdbpYFTk36ALdzvfpljrQJ0L3Hmu7XDdxC1l3YAMZj2umjyd9z3
FwFzx/GhFxK4i0z7XnONdM4bQN8WzUL39KxRetPkGf6T0BCWgW3I1093n34W1xBW
ZutLCqeHuljEzS7nNP3P4javwmohnpT2RutgT8HMdDuFxudlxCbY0K2kbGyu9uT6
aShIeXPlC1T8Pj2xySt8DeYMFAC7AZwzDK8x5HqlVJoMKZsut1Uqkg==
-----END CERTIFICATE-----
smtp-finger: > QUIT
smtp-finger: < 221 2.0.0 Bye

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Some Windows SMTP Server have problems with STARTTLS

Ralf Hildebrandt
* Victor Duchovni <[hidden email]>:

> You broke your trust chain, now you are presenting just your server
> certificate with none of the intermediate CA certs. Now add your
> CA certs, from the bottom up, one at a time, starting with the
> Charite CA. Append the CA cert(s) to your server cert file.

I provided the intermediate CA certs in the wrong format, but
update-ca-certifcates concatenated them into on
/etc/ssl/certs/ca-certificates file anyway.

I fixed that now by converting the files into the expected format :(

--
_________________________________________________

  Charite - Universitätsmedizin Berlin
_________________________________________________

  Ralf Hildebrandt
   i.A. Geschäftsbereich Informationsmanagement
   Campus Benjamin Franklin
   Hindenburgdamm 30 | Berlin
   Tel. +49 30 450 570155 | Fax +49 30 450 570962
   [hidden email]
   http://www.charite.de
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Some Windows SMTP Server have problems with STARTTLS

Victor Duchovni
On Thu, May 08, 2008 at 08:22:49PM +0200, Ralf Hildebrandt wrote:

> * Victor Duchovni <[hidden email]>:
>
> > You broke your trust chain, now you are presenting just your server
> > certificate with none of the intermediate CA certs. Now add your
> > CA certs, from the bottom up, one at a time, starting with the
> > Charite CA. Append the CA cert(s) to your server cert file.
>
> I provided the intermediate CA certs in the wrong format, but
> update-ca-certifcates concatenated them into on
> /etc/ssl/certs/ca-certificates file anyway.
>
> I fixed that now by converting the files into the expected format :(

Now you are bac to the full cert chain, and in all probability MDaemon
will once again be unable to connect to you...

Certificate chain

 0 s:/C=DE/O=Charite - Universitaetsmedizin Berlin/OU=Geschaeftsbereich Informationsmanagement/CN=mail-ausfall.charite.de
   i:/C=DE/O=Charite - Universitaetsmedizin Berlin/OU=IT-Zentrum/CN=Charite CA - G02/emailAddress=[hidden email]
    SHA1 Fingerprint=B1:E3:23:52:FC:3C:96:55:5E:59:74:F1:73:3B:8E:53:F9:0F:B3:87

 1 s:/C=DE/O=Charite - Universitaetsmedizin Berlin/OU=IT-Zentrum/CN=Charite CA - G02/emailAddress=[hidden email]
   i:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
SHA1 Fingerprint=E3:21:09:A4:B8:65:CF:85:09:A7:08:D4:02:F3:A8:65:38:B1:E1:8F

 2 s:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
   i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
    SHA1 Fingerprint=F0:28:8F:DA:C6:3A:F7:9A:31:9A:E9:72:F3:95:09:0E:A3:EF:E9:45

 3 s:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
   i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
    SHA1 Fingerprint=85:A4:08:C0:9C:19:3E:5D:51:58:7D:CD:D6:13:30:FD:8C:DE:37:BF

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Some Windows SMTP Server have problems with STARTTLS

Ralf Hildebrandt
* Victor Duchovni <[hidden email]>:

> Now you are bac to the full cert chain, and in all probability MDaemon
> will once again be unable to connect to you...

Yes. But now I know how to disable the certs one-by-one!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Some Windows SMTP Server have problems with STARTTLS

Victor Duchovni
On Thu, May 08, 2008 at 08:36:54PM +0200, Ralf Hildebrandt wrote:

> * Victor Duchovni <[hidden email]>:
>
> > Now you are bac to the full cert chain, and in all probability MDaemon
> > will once again be unable to connect to you...
>
> Yes. But now I know how to disable the certs one-by-one!

A somewhat academic exercise, unless leaving out just the root cert
solves the problem (and sending only the intermediate CAs) solves the
problem.

My guess is that any "pathlen: value, critical" extension is fatal
to MDaemon. So if you include any CA above Charite the problem will
return. If you don't, no one can verify your cert.

Does MDaemon drop down to plain text after a handshake failure? Or
does it just queue?

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Some Windows SMTP Server have problems with STARTTLS

Ralf Hildebrandt
* Victor Duchovni <[hidden email]>:

> Does MDaemon drop down to plain text after a handshake failure?

Of course not.

> Or does it just queue?

It just queues, and gives up.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Some Windows SMTP Server have problems with STARTTLS

Victor Duchovni
On Thu, May 08, 2008 at 09:03:30PM +0200, Ralf Hildebrandt wrote:

> * Victor Duchovni <[hidden email]>:
>
> > Does MDaemon drop down to plain text after a handshake failure?
>
> Of course not.
>
> > Or does it just queue?
>
> It just queues, and gives up.

In that case you need smtpd_discard_ehloo_keywords_address_maps
to hide STARTTLS from all these systems.

OR

Go with a self-signed cert on your public MX hosts, and anyone who wants
to do secure TLS with with can configure an explicit gateway that uses
real certs (say port 26 on the same hosts).

OR

Spend a nickel, and buy certs from a CA that does not use inessential
critical extensions. :-)

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Some Windows SMTP Server have problems with STARTTLS

Ralf Hildebrandt
> In that case you need smtpd_discard_ehloo_keywords_address_maps
> to hide STARTTLS from all these systems.

Yes, did that.
 
> OR
>
> Go with a self-signed cert on your public MX hosts, and anyone who wants
> to do secure TLS with with can configure an explicit gateway that uses
> real certs (say port 26 on the same hosts).

:)

> OR
>
> Spend a nickel, and buy certs from a CA that does not use inessential
> critical extensions. :-)

No way, we *STILL* have our honor! :)
Loading...