Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I followed a guide to setup a mail server (Virtual Users/Domains With Postfix, MySQL, SquirrelMail etc... on debian)
Now im trying to get TLS to work. Im trying to send an email to a server that is TLS aware and i get this error in my log and the email is deferred.
Quote:
Mar 15 21:25:13 mailsrvr postfix/smtp[18764]: 18218100074D: Server certificate not trusted
Mar 15 21:25:13 mailsrvr postfix/smtp[18764]: certificate verification failed for mxg.jpmchase.com[159.53.78.175]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
So to try and fix this, i went to verisign website and downloaded the root.zip file that contains all the root CA PEM's. I then appended all the verisign PEM's in that zip file to my CAcert.pem on my debian machine.
I then added this line into my postfix main.cf file
Quote:
smtpd_tls_CAfile = /etc/postfix/CAcert.pem
then reloaded postfix, but i still get the same error in my mail.log
I dont have a real certificate for my server, its a self signed cert. Would that cause this problem?
I can't say I'm totally sure of the problem here, but the CN of the certificate is 'img3.jpmchase.com' NOT 'mxg.jpmchase.com' as you can see running this:
Code:
openssl s_client -connect 159.53.78.175:25 -starttls smtp
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=New York/L=New York/O=JPMorgan Chase/OU=GTI/CN=img3.jpmchase.com
i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
I always find myself tripping over my own confusion with TLS at times but I'm sure the cert the destination has there is issued to a different host and this may result in the mismatch. I would not *swear* that so check it carefully.
The only thing that has me bothered about that is the reply from Postfix:
Quote:
certificate verification failed for mxg.jpmchase.com[159.53.78.175]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Which suggests it does not trust the issuer {something rings a bell about intermediate certificates here, but I'm old and forgetful}
I guess you know that Postfix does not ship with a default bundle of root certs for verification - you have to roll your own. In your case you are saying these are in a file called /etc/postfix/CAcert.pem.
This should contain all of the CA roots bundled (including VeriSign) and look something like this:
You could try sending a test message to the BBC in London with TLS. They use Messagelabs on the inbound side of things - see if you get a similar error?
As for your self signed cert, AFAIR that would only come into play when Postfix is acting as the server to an incoming SMTP connection (The logs would have this as 'smtpd' in such a case). 'smtp' suggests it's the client connecting to a server - so your self signed cert should not be relevant if I understand it correctly?
thanks!, i didn't notice that the CN was different.
Im running postfix 2.5.5
My root certs file looks the way that you have described. But i will double check that again.
Im using smtp_tls_per_site = /etc/postfix/tls_per_site so i tried using MUST_NOPEERMATCH instead of MUST. But another problem comes up doing it that way. My email gets queued for delivery now ( status=sent (250 +OK message queued for delivery.)), so the user doesn't get the email. Not sure where the email ended up =). I will have to research more. But im slowly getting there =).
Do u have BBC email addy i can send a test too? I tried looking on the bbc.co.uk website for an email address and i couldn't find one.
That message would suggest the root public key is missing from your bundle. I'm not familiar with the smtp_tls_per_site directive as it pre-dates my version. As for the BBC try breakfast@bbc.co.uk - it does not have to work in honesty, it's the TLS connection you are testing. BTW I'm assuming STARTTLS as you were working with port 25.
The root public key that you mentioned is it this? That needs to be in my CAcert.pem. Also do you know if i need to do a postmap for the CAcert.pem? i forgot if i needed to for this.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3e:d0:72:d0:d4:59:a0:25:57:df:48:15:29:6f:8d:3b
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Validity
Not Before: Nov 13 00:00:00 2009 GMT
Not After : Nov 30 23:59:59 2010 GMT
Subject: C=US, ST=New York, L=New York, O=JPMorgan Chase, OU=GTI, CN=ime6.jpmchase.com
What I mean is you have got the root for verisign.com in you '/etc/postfix/CAcert.pem' file, yes?
I did download from verisign. Maybe i created my CAcert.pem wrong. So what i did was just copy and pasted yours into my CAcert.pem
But i still get the error of
Quote:
Mar 16 13:57:18 mailsrvr postfix/smtp[20416]: certificate verification failed for mxe.jpmchase.com[159.53.46.180]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Mar 16 13:57:18 mailsrvr postfix/smtp[20416]: 5155A100074E: to=<xxxxxx@jpmchase.com>, relay=mxe.jpmchase.com[159.53.46.180]:25, delay=0.6, delays=0.05/0.05/0.31/0.2, dsn=2.0.0, status=sent (250 +OK message queued for delivery.)
Mar 16 13:57:18 mailsrvr postfix/qmgr[20393]: 5155A100074E: removed
I don't understand the status=sent (250 +OK message queued for delivery.) part. So its sent, but then queued right after? where is it being queued?
i also ran
openssl verify CAcert.pem and the output is this
Quote:
openssl verify CAcert.pem
CAcert.pem: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority
error 18 at 0 depth lookup:self signed certificate
OK
The 250 OK means the message was delivered successfully - so the error is not stopping anything, but it would be useful to find out just why Postfix is bitching about the certificate.
I think you best option would be to sign up to the Postfix USERS list and pose the question - one of the regulars there will probably spot your issue in a flash:
Really the message has been delivered? It says queue for delivery. End user never received anything, maybe their filter has blocked it. Hmmm i dunno, not good a deciphering these log messages yet.
Thanks for all your help, i will ask the postfix mailing list and see what i can come up with.
To be specific, the destination has taken responsibility for the message and queued it for delivery. It can bounce it but it's considered poor practice/backscatter to do so after giving a 250.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.