I am trying to implement TLS on our server for a client requirement. I believe I have the TLS settings correct, but I am not certain about what I am seeing in the logs and I am uncertain as to how to know if a message was delivered using TLS.
Is there anything in the message headers that would indicate that it was delivered using TLS? I have the below log entries on some outgoing messages. I am certain that the first one is a failure since the group's server is setup with the entry "somecomp.com MUST_NOPEERMATCH" is specified in tls_per_site and consequently the message is not delivered when TLS fails. Is this because they have a self signed certificate and we do not have the CA certificate for their root? In the second set of log entries, I am not certain if the message is delivered over the TLS connection or not. Is there some entry I can search my logs for to find out if any messages are being successfully transmitted over TLS? ---------------------- Known Failure ---------------------- Aug 22 13:11:43 mail postfix/smtp[7593]: starting TLS engine Aug 22 13:11:44 mail postfix/smtp[7593]: setting up TLS connection to mail.somecomp.com Aug 22 13:11:44 mail postfix/smtp[7593]: SSL_connect:before/connect initialization Aug 22 13:11:44 mail postfix/smtp[7593]: SSL_connect:SSLv2/v3 write client hello A Aug 22 13:11:44 mail postfix/smtp[7593]: SSL_connect:error in SSLv2/v3 read server hello A Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read server hello A Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read server hello A Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 read server hello A Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read server certificate A Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read server certificate A Aug 22 13:11:45 mail postfix/smtp[7593]: Peer cert verify depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/C N=thistle.somecomp.com/[EMAIL PROTECTED] Aug 22 13:11:45 mail postfix/smtp[7593]: verify error:num=18:self signed certificate Aug 22 13:11:45 mail postfix/smtp[7593]: verify return:0 Aug 22 13:11:45 mail postfix/smtp[7593]: Peer cert verify depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/C N=thistle.somecomp.com/[EMAIL PROTECTED] Aug 22 13:11:45 mail postfix/smtp[7593]: Peer verification: CommonName in certificate does not match: thistle.somecomp.com != mail.somecomp.com Aug 22 13:11:45 mail postfix/smtp[7593]: verify return:1 Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 read server certificate A Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read server key exchange A Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read server key exchange A Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 read server key exchange A Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read server certificate request A Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read server certificate request A Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 read server done A Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 write client key exchange A Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 write change cipher spec A Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 write finished A Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 flush data Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read finished A Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 read finished A Aug 22 13:11:45 mail postfix/smtp[7593]: Unverified: subject_CN=thistle.somecomp.com, issuer=thistle.somecomp.com Aug 22 13:11:45 mail postfix/smtp[7593]: TLS connection established to mail.somecomp.com: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Aug 22 13:11:45 mail postfix/smtp[7593]: Peer certficate could not be verified Aug 22 13:11:45 mail postfix/smtp[7593]: 85F4F504254: to=<[EMAIL PROTECTED]>, relay=mail.somecomp.com[xxx.yyy.zzz.aaa], delay=2, status=deferred (TLS-failure: Could not verify certificate) ---------------------- Did this work or not? ---------------------- Aug 21 22:16:22 mail postfix/smtp[28731]: starting TLS engine Aug 21 22:16:28 mail postfix/smtp[28731]: setting up TLS connection to mail.somecomp2.com Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:before/connect initialization Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv2/v3 write client hello A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv2/v3 read server hello A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read server hello A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read server hello A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read server hello A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read server certificate A Aug 21 22:16:28 mail postfix/smtp[28731]: Peer cert verify depth=1 /C=US/ST=SC/L=NCHARLESTON/O=somecomp2/CN=Certificate Manager Aug 21 22:16:28 mail postfix/smtp[28731]: verify error:num=19:self signed certificate in certificate chain Aug 21 22:16:28 mail postfix/smtp[28731]: verify return:0 Aug 21 22:16:28 mail postfix/smtp[28731]: Peer cert verify depth=1 /C=US/ST=SC/L=NCHARLESTON/O=somecomp2/CN=Certificate Manager Aug 21 22:16:28 mail postfix/smtp[28731]: verify return:1 Aug 21 22:16:28 mail postfix/smtp[28731]: Peer cert verify depth=0 /C=US/ST=South Carolina/L=Charleston/O=somecomp2 Communications, Inc./CN=mail.somecomp2.com/[EMAIL PROTECTED] Aug 21 22:16:28 mail postfix/smtp[28731]: verify return:1 Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read server certificate A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read server key exchange A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read server key exchange A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read server key exchange A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read server certificate request A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read server certificate request A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read server certificate request A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read server done A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 write client certificate A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 write client key exchange A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 write certificate verify A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 write change cipher spec A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 write finished A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 flush data Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read finished A Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read finished A Aug 21 22:16:28 mail postfix/smtp[28731]: Unverified: subject_CN=mail.somecomp2.com, issuer=Certificate Manager Aug 21 22:16:28 mail postfix/smtp[28731]: TLS connection established to mail.somecomp2.com: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Aug 21 22:16:28 mail postfix/smtp[28731]: Peer certficate could not be verified Aug 21 22:18:10 mail postfix/smtp[28731]: 8D05D501C3C: to=<[EMAIL PROTECTED]>, relay=mail.somecomp2.com[xxx.yyy.zzz.aaa], delay=8898, status=sent (250 2.0.0 m7LMVud8002947 Message accepted for delivery)
