postfix tls verification..

Pinkdog · 03-15-2010, 09:34 PM

Hello all,

I followed a guide to setup a mail server (Virtual Users/Domains With Postfix, MySQL, SquirrelMail etc... on debian)
Now im trying to get TLS to work. Im trying to send an email to a server that is TLS aware and i get this error in my log and the email is deferred.

Quote:

Mar 15 21:25:13 mailsrvr postfix/smtp[18764]: 18218100074D: Server certificate not trusted
Mar 15 21:25:13 mailsrvr postfix/smtp[18764]: certificate verification failed for mxg.jpmchase.com[159.53.78.175]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

So to try and fix this, i went to verisign website and downloaded the root.zip file that contains all the root CA PEM's. I then appended all the verisign PEM's in that zip file to my CAcert.pem on my debian machine.
I then added this line into my postfix main.cf file

Quote:

smtpd_tls_CAfile = /etc/postfix/CAcert.pem

then reloaded postfix, but i still get the same error in my mail.log

I dont have a real certificate for my server, its a self signed cert. Would that cause this problem?

My tls section in my main.cf looks like this

Quote:

smtpd_tls_cert_file=/etc/ssl/certs/dovecot.pem
smtpd_tls_key_file=/etc/ssl/private/dovecot.pem
smtpd_tls_security_level = may
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_per_site = /etc/postfix/tls_per_site
smtpd_tls_CAfile = /etc/postfix/CAcert.pem

Thanks for your help!!.

spampig · 03-16-2010, 03:16 AM

I can't say I'm totally sure of the problem here, but the CN of the certificate is 'img3.jpmchase.com' NOT 'mxg.jpmchase.com' as you can see running this:

Code:

openssl s_client -connect 159.53.78.175:25 -starttls smtp
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=New York/L=New York/O=JPMorgan Chase/OU=GTI/CN=img3.jpmchase.com
   i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

I always find myself tripping over my own confusion with TLS at times but I'm sure the cert the destination has there is issued to a different host and this may result in the mismatch. I would not *swear* that so check it carefully.

The only thing that has me bothered about that is the reply from Postfix:

Quote:

certificate verification failed for mxg.jpmchase.com[159.53.78.175]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

Which suggests it does not trust the issuer {something rings a bell about intermediate certificates here, but I'm old and forgetful}

I guess you know that Postfix does not ship with a default bundle of root certs for verification - you have to roll your own. In your case you are saying these are in a file called /etc/postfix/CAcert.pem.
This should contain all of the CA roots bundled (including VeriSign) and look something like this:

Quote:

-----END CERTIFICATE-----
blahblahblah...
-----BEGIN CERTIFICATE-----
blahblahblah...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blahblahblah...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blahblahblah...
-----END CERTIFICATE-----

If you've not created that file or added VeriSign to it, that would be the first place I would look.

Extra to that I would also ask which version of Postfix are you running?

Quote:

postconf -d | grep mail_version

Some of those tls directives you have in main.cf may be obsolete in newer versions as per:

http://www.postfix.org/TLS_README.html

You could try sending a test message to the BBC in London with TLS. They use Messagelabs on the inbound side of things - see if you get a similar error?

As for your self signed cert, AFAIR that would only come into play when Postfix is acting as the server to an incoming SMTP connection (The logs would have this as 'smtpd' in such a case). 'smtp' suggests it's the client connecting to a server - so your self signed cert should not be relevant if I understand it correctly?

Pinkdog · 03-16-2010, 10:49 AM

thanks!, i didn't notice that the CN was different.
Im running postfix 2.5.5
My root certs file looks the way that you have described. But i will double check that again.
Im using smtp_tls_per_site = /etc/postfix/tls_per_site so i tried using MUST_NOPEERMATCH instead of MUST. But another problem comes up doing it that way. My email gets queued for delivery now ( status=sent (250 +OK message queued for delivery.)), so the user doesn't get the email. Not sure where the email ended up =). I will have to research more. But im slowly getting there =).

Do u have BBC email addy i can send a test too? I tried looking on the bbc.co.uk website for an email address and i couldn't find one.

thank you!

spampig · 03-16-2010, 10:56 AM

That message would suggest the root public key is missing from your bundle. I'm not familiar with the smtp_tls_per_site directive as it pre-dates my version. As for the BBC try breakfast@bbc.co.uk - it does not have to work in honesty, it's the TLS connection you are testing. BTW I'm assuming STARTTLS as you were working with port 25.

Pinkdog · 03-16-2010, 11:10 AM

The root public key that you mentioned is it this? That needs to be in my CAcert.pem. Also do you know if i need to do a postmap for the CAcert.pem? i forgot if i needed to for this.

Quote:

spampig · 03-16-2010, 11:25 AM

That seems to come back to ime6.jpmchase.com?

Code:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3e:d0:72:d0:d4:59:a0:25:57:df:48:15:29:6f:8d:3b
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
        Validity
            Not Before: Nov 13 00:00:00 2009 GMT
            Not After : Nov 30 23:59:59 2010 GMT
        Subject: C=US, ST=New York, L=New York, O=JPMorgan Chase, OU=GTI, CN=ime6.jpmchase.com

What I mean is you have got the root for verisign.com in you '/etc/postfix/CAcert.pem' file, yes?

spampig · 03-16-2010, 11:47 AM

These are the basic 14 Verisign Root Certificates - you can download them from here: https://www.verisign.com/support/roots.html

Make sure you have these in your /etc/postfix/CAcert.pem file

Code:

Pinkdog · 03-16-2010, 01:11 PM

I did download from verisign. Maybe i created my CAcert.pem wrong. So what i did was just copy and pasted yours into my CAcert.pem
But i still get the error of

Quote:

Mar 16 13:57:18 mailsrvr postfix/smtp[20416]: certificate verification failed for mxe.jpmchase.com[159.53.46.180]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Mar 16 13:57:18 mailsrvr postfix/smtp[20416]: 5155A100074E: to=<xxxxxx@jpmchase.com>, relay=mxe.jpmchase.com[159.53.46.180]:25, delay=0.6, delays=0.05/0.05/0.31/0.2, dsn=2.0.0, status=sent (250 +OK message queued for delivery.)
Mar 16 13:57:18 mailsrvr postfix/qmgr[20393]: 5155A100074E: removed

I don't understand the status=sent (250 +OK message queued for delivery.) part. So its sent, but then queued right after? where is it being queued?

i also ran
openssl verify CAcert.pem and the output is this

Quote:

openssl verify CAcert.pem
CAcert.pem: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority
error 18 at 0 depth lookup:self signed certificate
OK

I'm not sure what else to try.

Thanks!

spampig · 03-16-2010, 01:37 PM

The 250 OK means the message was delivered successfully - so the error is not stopping anything, but it would be useful to find out just why Postfix is bitching about the certificate.

I think you best option would be to sign up to the Postfix USERS list and pose the question - one of the regulars there will probably spot your issue in a flash:

http://www.postfix.org/lists.html

Sorry I can't nail it for you - but when all else fails, ask the list!

Pinkdog · 03-16-2010, 02:31 PM

Really the message has been delivered? It says queue for delivery. End user never received anything, maybe their filter has blocked it. Hmmm i dunno, not good a deciphering these log messages yet.
Thanks for all your help, i will ask the postfix mailing list and see what i can come up with.

spampig · 03-16-2010, 03:07 PM

To be specific, the destination has taken responsibility for the message and queued it for delivery. It can bounce it but it's considered poor practice/backscatter to do so after giving a 250.

spampig · 03-17-2010, 02:55 AM

This covers a similar situation and may explain it better (it also illustrates how curt and blunt the Postfix mailing list is):
http://readlist.com/lists/postfix.or...26/130222.html

Pinkdog · 03-17-2010, 07:10 PM

thanks! i will take a look