postfix-tls error

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

postfix-tls error

hyndavirapuru
Hi,

I have enabled tls in 2 postfix servers(MTA1, MTA2). when i try to send
mail from simple java client to server it is working fine. TLS negotiation
happened properly. But when MTA1 try to send mail to other MTA,  mail is
getting deferred by writing following log


" Aug  2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD:
to=<[hidden email]>, orig_to=<[hidden email]>,
relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0,
dsn=4.7.5, status=deferred (Server certificate not verified) "


"postconf -n " output is as follows


bounce_queue_lifetime = 40s
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 5000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 8h
mydestination = $myhostname.$mydomain,$myhostname, $myhostname,
localhost.localdomain
mydomain = tcs.mil.in
myhostname = 1CorpHQserver.tcs.mil.in
mynetworks = 127.0.0.0/8, 201.123.80.0/24, 201.123.2.0/24, 201.123.1.0/24
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
queue_run_delay = 30s
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_enforce_tls = yes
smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtpd_starttls_timeout = 300s
smtpd_tls_CApath = /etc/postfix_certs_24_7_17/ca_cert
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_cert_file =
/etc/postfix_certs_24_7_17/[hidden email]
smtpd_tls_key_file =
/etc/postfix_certs_24_7_17/[hidden email]
smtpd_tls_loglevel = 2
smtpd_tls_security_level = encrypt
transport_maps = hash:/etc/postfix/transportmap
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:/etc/postfix/virtual_alias_map_ldapusers,
ldap:/etc/postfix/ldapdistlist.cf
virtual_gid_maps = static:6000
virtual_mailbox_base = /var/mail/vmail
virtual_mailbox_domains = 1CorpHQ.tcs.mil.in
virtual_mailbox_maps = ldap:/etc/postfix/virtual_mailbox_ldapusers
virtual_minimum_uid = 1000
virtual_uid_maps = static:6000
=============================================

tls_policy file is as follows

[201.123.1.4]:25 secure  match=1CorpHQ


"1CorpHQ" is exactly same as the CN field of the certificate

================================================

How to solve the above error...I'm stuck at this point for a long time...
Any help will be appreciated greatly...

--
Thanks & Regards
Hyndavi rapuru
Member( Research Staff)
Central Research Laboratory
Bharat Electronics Ltd
Jalahalli
Bangalore- 560 013

Int Ph No: 134
Off Ph No: 080-28381125
Off Fax No: 28381168

कागज़ के 3000 पन्नों के लिए एक
पेड़ को काटा जाता है... पेड़
बचाएँ... पेड़ों का संरक्षण
करें... हरियाली लाएँ... इस मेल
का या इसकी किसी फाइल का
प्रिंट तब तक न लें जब तक
सचमुच ज़रूरत न हो !!!!

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve
Trees. Don't print this email or any Files unless you really need to!!!!

Confidentiality Notice/गोपनीय सूचना

इस इलेक्ट्रॉनिक संदेश में
शामिल जानकारी और इस संदेश के
साथ दिया गया संलग्नक केवल
प्रेषिती के अनन्य इस्तेमाल
के लिए है और इसमें गोपनीय या
विशेषाधिकार प्राप्त
जानकारी
शामिल हो सकती है । यदि आप
आशयित प्राप्तकर्ता नहीं
हैं, तो कृपया तुरंत भारत
इलेक्ट्रॉनिक्स के प्रेषक
को बताएँ
या [hidden email] पर मेल द्वारा
सूचित करें और इस संदेश की
सभी प्रतियाँ और उसके साथ लगे
संलग्नकों को नष्ट कर दें ।  The
information contained in this electronic message and any
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or [hidden email] immediately and
destroy all copies of this message and any attachments.






कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न लें जब तक सचमुच ज़रूरत न हो !!!!
 

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve
Trees. Don't print this email or any Files unless you really need to!!!!

Confidentiality Notice/गोपनीय सूचना

इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक केवल
प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त जानकारी
शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत इलेक्ट्रॉनिक्स के प्रेषक को बताएँ
या [hidden email] पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और उसके साथ लगे संलग्नकों को नष्ट कर दें ।
The information contained in this electronic message and any
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or [hidden email] immediately
and destroy all copies of this message and any attachments.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-tls error

Viktor Dukhovni
On Wed, Aug 02, 2017 at 12:10:31PM +0530, [hidden email] wrote:

> " Aug  2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD:
> to=<[hidden email]>, orig_to=<[hidden email]>,
> relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0,
> dsn=4.7.5, status=deferred (Server certificate not verified) "

That's nice, but where's the SMTP client's TLS logging?

> queue_run_delay = 30s

Unrelated, but surely too short.

> smtp_enforce_tls = yes

Obsolete, instead set "smtp_tls_security_level = encrypt".

> smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt

This has to be sufficient to verify the remote server's certificate.

> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> smtpd_tls_loglevel = 2

Change that to 1, and also set:

    smtp_tls_security_level = 1

> tls_policy file is as follows
>
> [201.123.1.4]:25 secure  match=1CorpHQ
>
> "1CorpHQ" is exactly same as the CN field of the certificate

Are there any DNS subject alternative names in the certificate?
Is it issued by a trusted CA? ...

> How to solve the above error...I'm stuck at this point for a long time...
> Any help will be appreciated greatly...

Post TLS logging,  after setting the loglevel = 1.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-tls error

hyndavirapuru
In reply to this post by hyndavirapuru
> On Wed, Aug 02, 2017 at 12:10:31PM +0530, [hidden email] wrote:
>> " Aug  2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD:
>> to=<[hidden email]>, orig_to=<[hidden email]>,
relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0,
dsn=4.7.5, status=deferred (Server certificate not verified) "

> That's nice, but where's the SMTP client's TLS logging?
>> queue_run_delay = 30s
> Unrelated, but surely too short.
>> smtp_enforce_tls = yes
> Obsolete, instead set "smtp_tls_security_level = encrypt".
>> smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt
> This has to be sufficient to verify the remote server's certificate.
>> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
>> smtpd_tls_loglevel = 2
> Change that to 1, and also set:
>     smtp_tls_security_level = 1
>> tls_policy file is as follows
>> [201.123.1.4]:25 secure  match=1CorpHQ
>> "1CorpHQ" is exactly same as the CN field of the certificate
> Are there any DNS subject alternative names in the certificate?
> Is it issued by a trusted CA? ...
>> How to solve the above error...I'm stuck at this point for a long
time...
>> Any help will be appreciated greatly...
> Post TLS logging,  after setting the loglevel = 1.
> --
> Viktor.


>> smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt
> This has to be sufficient to verify the remote server's certificate.


Both the server certificates are generated from the same CA and the same
CA certificate has been added into ca-bundle.crt

CA certificate is  self signed certificate.

I have changed smtpd_tls_loglevel to 1. Even after that logs are same in
maillog file.
--
Thanks & Regards
Hyndavi rapuru
Member( Research Staff)
Central Research Laboratory
Bharat Electronics Ltd
Jalahalli
Bangalore- 560 013

Int Ph No: 134
Off Ph No: 080-28381125
Off Fax No: 28381168



कागज़ के 3000 पन्नों के लिए एक
पेड़ को काटा जाता है... पेड़
बचाएँ... पेड़ों का संरक्षण
करें... हरियाली लाएँ... इस मेल
का या इसकी किसी फाइल का
प्रिंट तब तक न लें जब तक
सचमुच ज़रूरत न हो !!!!

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve
Trees. Don't print this email or any Files unless you really need to!!!!

Confidentiality Notice/गोपनीय सूचना

इस इलेक्ट्रॉनिक संदेश में
शामिल जानकारी और इस संदेश के
साथ दिया गया संलग्नक केवल
प्रेषिती के अनन्य इस्तेमाल
के लिए है और इसमें गोपनीय या
विशेषाधिकार प्राप्त
जानकारी
शामिल हो सकती है । यदि आप
आशयित प्राप्तकर्ता नहीं
हैं, तो कृपया तुरंत भारत
इलेक्ट्रॉनिक्स के प्रेषक
को बताएँ
या [hidden email] पर मेल द्वारा
सूचित करें और इस संदेश की
सभी प्रतियाँ और उसके साथ लगे
संलग्नकों को नष्ट कर दें ।  The
information contained in this electronic message and any
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or [hidden email] immediately and
destroy all copies of this message and any attachments.






कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न लें जब तक सचमुच ज़रूरत न हो !!!!
 

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve
Trees. Don't print this email or any Files unless you really need to!!!!

Confidentiality Notice/गोपनीय सूचना

इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक केवल
प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त जानकारी
शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत इलेक्ट्रॉनिक्स के प्रेषक को बताएँ
या [hidden email] पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और उसके साथ लगे संलग्नकों को नष्ट कर दें ।
The information contained in this electronic message and any
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or [hidden email] immediately
and destroy all copies of this message and any attachments.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-tls error

hyndavirapuru
In reply to this post by hyndavirapuru
> On Wed, Aug 02, 2017 at 12:10:31PM +0530, [hidden email] wrote:
>> " Aug  2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD:
>> to=<[hidden email]>, orig_to=<[hidden email]>,
relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0,
dsn=4.7.5, status=deferred (Server certificate not verified) "

> That's nice, but where's the SMTP client's TLS logging?
>> queue_run_delay = 30s
> Unrelated, but surely too short.
>> smtp_enforce_tls = yes
> Obsolete, instead set "smtp_tls_security_level = encrypt".
>> smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt
> This has to be sufficient to verify the remote server's certificate.
>> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
>> smtpd_tls_loglevel = 2
> Change that to 1, and also set:
>     smtp_tls_security_level = 1
>> tls_policy file is as follows
>> [201.123.1.4]:25 secure  match=1CorpHQ
>> "1CorpHQ" is exactly same as the CN field of the certificate
> Are there any DNS subject alternative names in the certificate?
> Is it issued by a trusted CA? ...
>> How to solve the above error...I'm stuck at this point for a long time...
>> Any help will be appreciated greatly...
> Post TLS logging,  after setting the loglevel = 1.
> --
> Viktor.


mail flow is as follows

1. sending mail from Cdr.AHQ user to Cdr.1CorpHQ user

2. mail is reaching AHQ mail server successfully (by completing TLS
negotiation successfully)

3. AHQ mail server identied that mail has to go to 1CorpHQ mailserver

4. TLS negotiation has started

5. BUt AHQ mail server not able to verify 1CorpHQ mail server certificate


I have posted 1CorpHQ mail server postconf. For AHQ server also
configuration is same except hostname and virtual_mailbox_domain name.

--
Thanks & Regards
Hyndavi rapuru
Member( Research Staff)
Central Research Laboratory
Bharat Electronics Ltd
Jalahalli
Bangalore- 560 013

Int Ph No: 134
Off Ph No: 080-28381125
Off Fax No: 28381168

कागज़ के 3000 पन्नों के लिए एक
पेड़ को काटा जाता है... पेड़
बचाएँ... पेड़ों का संरक्षण
करें... हरियाली लाएँ... इस मेल
का या इसकी किसी फाइल का
प्रिंट तब तक न लें जब तक
सचमुच ज़रूरत न हो !!!!

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve
Trees. Don't print this email or any Files unless you really need to!!!!

Confidentiality Notice/गोपनीय सूचना

इस इलेक्ट्रॉनिक संदेश में
शामिल जानकारी और इस संदेश के
साथ दिया गया संलग्नक केवल
प्रेषिती के अनन्य इस्तेमाल
के लिए है और इसमें गोपनीय या
विशेषाधिकार प्राप्त
जानकारी
शामिल हो सकती है । यदि आप
आशयित प्राप्तकर्ता नहीं
हैं, तो कृपया तुरंत भारत
इलेक्ट्रॉनिक्स के प्रेषक
को बताएँ
या [hidden email] पर मेल द्वारा
सूचित करें और इस संदेश की
सभी प्रतियाँ और उसके साथ लगे
संलग्नकों को नष्ट कर दें ।  The
information contained in this electronic message and any
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or [hidden email] immediately and
destroy all copies of this message and any attachments.






कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न लें जब तक सचमुच ज़रूरत न हो !!!!
 

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve
Trees. Don't print this email or any Files unless you really need to!!!!

Confidentiality Notice/गोपनीय सूचना

इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक केवल
प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त जानकारी
शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत इलेक्ट्रॉनिक्स के प्रेषक को बताएँ
या [hidden email] पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और उसके साथ लगे संलग्नकों को नष्ट कर दें ।
The information contained in this electronic message and any
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or [hidden email] immediately
and destroy all copies of this message and any attachments.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-tls error

Noel Jones-2
In reply to this post by Viktor Dukhovni
On 8/2/2017 2:19 AM, Viktor Dukhovni wrote:

> On Wed, Aug 02, 2017 at 12:10:31PM +0530, [hidden email] wrote:
>
>> " Aug  2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD:
>> to=<[hidden email]>, orig_to=<[hidden email]>,
>> relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0,
>> dsn=4.7.5, status=deferred (Server certificate not verified) "
>
> That's nice, but where's the SMTP client's TLS logging?
>
>> queue_run_delay = 30s
>
> Unrelated, but surely too short.
>
>> smtp_enforce_tls = yes
>
> Obsolete, instead set "smtp_tls_security_level = encrypt".
>
>> smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt
>
> This has to be sufficient to verify the remote server's certificate.
>
>> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
>> smtpd_tls_loglevel = 2
>
> Change that to 1, and also set:
>
>     smtp_tls_security_level = 1



Oops, that should be

   smtp_tls_loglevel = 1



>
>> tls_policy file is as follows
>>
>> [201.123.1.4]:25 secure  match=1CorpHQ
>>
>> "1CorpHQ" is exactly same as the CN field of the certificate
>
> Are there any DNS subject alternative names in the certificate?
> Is it issued by a trusted CA? ...
>
>> How to solve the above error...I'm stuck at this point for a long time...
>> Any help will be appreciated greatly...
>
> Post TLS logging,  after setting the loglevel = 1.
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-tls error

Viktor Dukhovni
On Wed, Aug 02, 2017 at 10:00:58AM -0500, Noel Jones wrote:

> >> smtpd_tls_loglevel = 2
> >
> > Change that to 1, and also set:
> >
> >     smtp_tls_security_level = 1
>
>
> Oops, that should be
>
>    smtp_tls_loglevel = 1

Indeed a typo, thanks for the corection, ... and then the OP must
*POST* the resulting logging.

He's not posted the configuration of the sending system or
its logs.  This is a waste of everyone's time.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-tls error

hyndavirapuru

> On Wed, Aug 02, 2017 at 10:00:58AM -0500, Noel Jones wrote:
>
>> >> smtpd_tls_loglevel = 2
>> >
>> > Change that to 1, and also set:
>> >
>> >     smtp_tls_security_level = 1
>>
>>
>> Oops, that should be
>>
>>    smtp_tls_loglevel = 1
>
> Indeed a typo, thanks for the corection, ... and then the OP must
> *POST* the resulting logging.
>
> He's not posted the configuration of the sending system or
> its logs.  This is a waste of everyone's time.
>
> --
> Viktor.
>


Hi viktor,


By mistake, i have posted receiving server configuration.

Below is the configuration of the sending system


bounce_queue_lifetime = 40s
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 8h
mydestination = $myhostname.$mydomain,$myhostname, $myhostname,
localhost.localdomain
mydomain = tcs.mil.in
myhostname = AHQserver.tcs.mil.in
mynetworks = 127.0.0.0/8, 201.123.80.0/24, 201.123.1.0/24, 201.123.2.0/24
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
queue_run_delay = 30s
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_enforce_tls = yes
smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt
smtp_tls_loglevel = 1
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_use_tls = yes
smtpd_starttls_timeout = 300s
smtpd_tls_CApath = /root/hyndavi/certs
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /root/hyndavi/certs/[hidden email]
smtpd_tls_key_file = /root/hyndavi/certs/[hidden email]
smtpd_tls_security_level = encrypt
transport_maps = hash:/etc/postfix/transportmap
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:/etc/postfix/virtual_alias_map_ldapusers,
ldap:/etc/postfix/ldapdistlist.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail/vmail
virtual_mailbox_domains = AHQ.tcs.mil.in
virtual_mailbox_maps = ldap:/etc/postfix/virtual_mailbox_ldapusers
virtual_minimum_uid = 1000
virtual_uid_maps = static:5000


As i have already told ca-bundle.crt is having ca certificate. Both the
sending and receiving server certificates have been generated with the
same CA certificate. CA is a self signed certificate.

After doing configuration changes whatever have been suggested, I have
sent mail from AHQ server to 1CorpHQ server. below is the Log

Aug  3 12:11:54 AHQ postfix/smtp[8325]: 4B68168543FC:
to=<[hidden email]>, orig_to=<[hidden email]>,
relay=201.123.1.4[201.123.1.4]:25, delay=34, delays=34/0/0/0, dsn=4.7.5,
status=deferred (Server certificate not verified)

Can you help me to solve this problem


--
Thanks & Regards
Hyndavi rapuru
Member( Research Staff)
Central Research Laboratory
Bharat Electronics Ltd
Jalahalli
Bangalore- 560 013

Int Ph No: 134
Off Ph No: 080-28381125
Off Fax No: 28381168


कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न लें जब तक सचमुच ज़रूरत न हो !!!!
 

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve
Trees. Don't print this email or any Files unless you really need to!!!!

Confidentiality Notice/गोपनीय सूचना

इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक केवल
प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त जानकारी
शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत इलेक्ट्रॉनिक्स के प्रेषक को बताएँ
या [hidden email] पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और उसके साथ लगे संलग्नकों को नष्ट कर दें ।
The information contained in this electronic message and any
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or [hidden email] immediately
and destroy all copies of this message and any attachments.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-tls error

Viktor Dukhovni
On Thu, Aug 03, 2017 at 12:19:55PM +0530, [hidden email] wrote:

> > He's not posted the configuration of the sending system or
> > its logs.  This is a waste of everyone's time.

The relevant logging is the TLS-related logging from the sending
postfix/smtp client process that happens *before* the message is
finally deferred and is enabled via smtp_tls_loglevel=1.

> smtp_enforce_tls = yes

Instead, "smtp_tls_security_level = encrypt".

> smtp_tls_loglevel = 1
> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

Post the relevant tls policy table entry.

> smtp_use_tls = yes

This is unnecessary.

> transport_maps = hash:/etc/postfix/transportmap
>
> Aug  3 12:11:54 AHQ postfix/smtp[8325]: 4B68168543FC:
> to=<[hidden email]>, orig_to=<[hidden email]>,
> relay=201.123.1.4[201.123.1.4]:25, delay=34, delays=34/0/0/0, dsn=4.7.5,
> status=deferred (Server certificate not verified)

The server certificate failed to verify.  Perhaps expired, perhaps
not issued by the CA you've configured, or a missing intermediate
certificate, or the certificate is not suitable for TLS (maybe it
has some other extended key usage), or ...

> Can you help me to solve this problem

Not without the requested logging, and copy of the server and CA
certificates.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-tls error

hyndavirapuru

> On Thu, Aug 03, 2017 at 12:19:55PM +0530, [hidden email] wrote:
>
>> > He's not posted the configuration of the sending system or
>> > its logs.  This is a waste of everyone's time.
>
> The relevant logging is the TLS-related logging from the sending
> postfix/smtp client process that happens *before* the message is
> finally deferred and is enabled via smtp_tls_loglevel=1.
>
>> smtp_enforce_tls = yes
>
> Instead, "smtp_tls_security_level = encrypt".
>
>> smtp_tls_loglevel = 1
>> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
>
> Post the relevant tls policy table entry.
>
>> smtp_use_tls = yes
>
> This is unnecessary.
>
>> transport_maps = hash:/etc/postfix/transportmap
>>
>> Aug  3 12:11:54 AHQ postfix/smtp[8325]: 4B68168543FC:
>> to=<[hidden email]>, orig_to=<[hidden email]>,
>> relay=201.123.1.4[201.123.1.4]:25, delay=34, delays=34/0/0/0, dsn=4.7.5,
>> status=deferred (Server certificate not verified)
>
> The server certificate failed to verify.  Perhaps expired, perhaps
> not issued by the CA you've configured, or a missing intermediate
> certificate, or the certificate is not suitable for TLS (maybe it
> has some other extended key usage), or ...
>
>> Can you help me to solve this problem
>
> Not without the requested logging, and copy of the server and CA
> certificates.
>
> --
> Viktor.
>


hi Viktor,


TLS logging is as below,


Aug  4 11:52:29 AHQ postfix/smtp[11652]: initializing the client-side TLS
engine
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25: TLS
cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL"
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:before/connect
initialization
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv2/v3 write client
hello A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server
hello A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25:
certificate verification depth=1 verify=1
subject=/C=IN/ST=KARNATAKA/L=BANGALORE/O=BEL/OU=CRL/CN=CA/emailAddress=[hidden email]
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25:
certificate verification depth=0 verify=1
subject=/C=IN/ST=KARNATAKA/L=BANGALORE/O=BEL/OU=CRL/CN=1CorpHQ/emailaddress=[hidden email]
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server
certificate A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server key
exchange A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server done A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 write client
key exchange A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 write change
cipher spec A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 write finished A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 flush data
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server
session ticket A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read finished A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25
CommonName 1CorpHQ/emailaddress=[hidden email]
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25:
subject_CN=1CorpHQ/emailaddress=[hidden email],
issuer_CN=CA/emailAddress=[hidden email],
fingerprint=99:EE:C4:42:4B:89:4F:1D:4C:93:18:48:7B:EA:90:9D,
pkey_fingerprint=5D:0D:58:AF:8B:A8:2C:D5:5F:9F:D2:DB:29:89:57:BD
Aug  4 11:52:29 AHQ postfix/smtp[11652]: Trusted TLS connection
established to 201.123.1.4[201.123.1.4]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 249ED60E5225:
to=<[hidden email]>, orig_to=<[hidden email]>,
relay=201.123.1.4[201.123.1.4]:25, delay=0.05, delays=0.04/0.01/0.01/0,
dsn=4.7.5, status=deferred (Server certificate not verified)


tls_policy entry is given below

[201.123.1.4]:25 secure  match=1CorpHQ


I have checked server certificate against ca cert using openssl command.
it is fine

[root@AHQ certs]# openssl verify -verbose -CAfile cacert.pem
[hidden email]
[hidden email]: OK

and the same ca certificate is existing in ca-bundle.crt


I'm attaching 1CorpHQ server certificate details with the mail

--
Thanks & Regards
Hyndavi rapuru
Member( Research Staff)
Central Research Laboratory
Bharat Electronics Ltd
Jalahalli
Bangalore- 560 013

Int Ph No: 134
Off Ph No: 080-28381125
Off Fax No: 28381168


कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न लें जब तक सचमुच ज़रूरत न हो !!!!
 

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve
Trees. Don't print this email or any Files unless you really need to!!!!

Confidentiality Notice/गोपनीय सूचना

इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक केवल
प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त जानकारी
शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत इलेक्ट्रॉनिक्स के प्रेषक को बताएँ
या [hidden email] पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और उसके साथ लगे संलग्नकों को नष्ट कर दें ।
The information contained in this electronic message and any
attachments to this message are intended for the exclusive use of
the addressee(s) and may contain confidential or privileged
information. If you are not the intended recipient, please notify
the sender at Bharat Electronics  or [hidden email] immediately
and destroy all copies of this message and any attachments.

certificate (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: postfix-tls error

Viktor Dukhovni
On Fri, Aug 04, 2017 at 12:31:53PM +0530, [hidden email] wrote:

> >> Can you help me to solve this problem
> >
> > Not without the requested logging, and copy of the server and CA
> > certificates.

> TLS logging is as below,

> Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25:
> certificate verification depth=1 verify=1

Your nexthop domain is "201.123.1.4" what is the verbatim entry in
the transport table that makes it so?

> Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25:
> subject_CN=1CorpHQ/emailaddress=[hidden email],

The subject CN is:

    subject_CN=1CorpHQ/emailaddress=[hidden email]

not "1CorpHQ"!  That "/emailaddress" is, despite appearances to
the contrary, part of the subject CN and not a separate RDN component.

> issuer_CN=CA/emailAddress=[hidden email],

Ditto here, though that is not a problem.

> Aug  4 11:52:29 AHQ postfix/smtp[11652]: Trusted TLS connection
> established to 201.123.1.4[201.123.1.4]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

The certificate chain is valid, but the name does not match.

> tls_policy entry is given below
>
> [201.123.1.4]:25 secure  match=1CorpHQ

Do make sure that the transport table entry is:

    1CorpHQ.tcs.mil.in smtp:[201.123.1.4]:25

and not some variant.  On the other hand, I would have gone with
just:

    transport:
        1CorpHQ.tcs.mil.in smtp:[201.123.1.4]

    tls_policy:
        [201.123.1.4] secure  match=1CorpHQ

i.e. leave off the implicit ":25" in both.  Of course your real
problem is the "/emailaddress=..." in the subject CN.

You posted only the text form of the certificate, the evidence would
have been more conclusion with the actual PEM certificate included.

--
        Viktor.
Loading...