On Thu, Feb 05, 2009 at 07:43:38PM +0100, Patrick Ben Koetter wrote:
> * Tolga <to...@ozses.net>:
> > On Thu, Feb 05, 2009 at 04:25:50PM +0100, Patrick Ben Koetter wrote:
> > > * Tolga <to...@ozses.net>:
> > > > I am reading The Book of Postfix, I applied the steps CA.pl -newca,
> > > > openssl
> > > > req -new -nodes -keyout privatekey.pem -out privatekey.pem -days 1825
> > > > and
> > > > openssl ca -policy policy_anything -out publiccert.pem -infiles
> > > > privatekey.pem , copied the key and cert under /etc/ssl/private and
> > > > /etc/ssl/certs and restarted postfix, but I am obviously missing
> > > > something
> > > > and I can't use the new certificate. Can you help me?
> > >
> > > Yes.
> > >
> > > 1. Send output from "postconf -n".
> > alias_database = hash:/etc/aliases
> > alias_maps = hash:/etc/aliases
> > append_dot_mydomain = no
> > biff = no
> > config_directory = /etc/postfix
> > inet_interfaces = all
> > mailbox_size_limit = 0
> > mydestination = ozses.net, kunduz.org, localhost.net, localhost
> > myhostname = ozses.net
>
> Not a really good hostname unless you own ".net" and your host is "ozses".
> Should probably be something like "mail.ozses.net"...
>
>
> > mynetworks = 127.0.0.0/8 192.168.0.0/16 [::ffff:127.0.0.0]/104 [::1]/128
> > myorigin = /etc/mailname
>
> That's Debian/Ubuntu you are running, right? Does /etc/mailname contain
> ozses.net? It should.
Yes it does.
>
>
> > readme_directory = no
> > recipient_delimiter = +
> > relayhost =
> > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> > smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> > smtpd_client_restrictions = permit_mynetworks,
> > permit_sasl_authenticated, reject_unauth_destination,
> > reject_unknown_reverse_client_hostname, reject_unauth_pipelining,
> > reject_non_fqdn_recipient,
> > reject_rbl_client zen.spamhaus.org
> > smtpd_tls_CAfile = /usr/share/ssl-cert/ca-bundle.crt
> > smtpd_tls_cert_file = /etc/ssl/certs/publiccert.pem
> > smtpd_tls_key_file = /etc/ssl/private/privatekey.pem
> > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> > smtpd_use_tls = yes
> >
> > > 2. Are the certficates readable by postfix?
> > -rw-r--r-- 1 root root 1599 2009-02-05 16:33 privatekey.pem
> > -rw-r--r-- 1 root root 3313 2009-02-05 16:34 /etc/ssl/certs/publiccert.pem
> >
> > > 3. Does the server offer STARTTLS?
> >
> > I think so, yes
>
> Your configuration looks okay. Did you do the "openssl s_client ..." test from
> the book? You should do it to test if your server offers STARTTLS and if
> openssl's s_client is able to verify your server certificate.
>
> Please show evidence of such a session.
to...@ozses:~$ openssl s_client -starttls smtp -CApath /etc/ssl/private
-connect localhost:25
CONNECTED(00000003)
depth=0
/C=TR/ST=Marmara/L=Istanbul/O=ozses.net/OU=ozses.net/CN=mail.ozses.net/emailaddress=to...@ozses.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
/C=TR/ST=Marmara/L=Istanbul/O=ozses.net/OU=ozses.net/CN=mail.ozses.net/emailaddress=to...@ozses.net
verify error:num=27:certificate not trusted
verify return:1
depth=0
/C=TR/ST=Marmara/L=Istanbul/O=ozses.net/OU=ozses.net/CN=mail.ozses.net/emailaddress=to...@ozses.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0
s:/C=TR/ST=Marmara/L=Istanbul/O=ozses.net/OU=ozses.net/CN=mail.ozses.net/emailaddress=to...@ozses.net
i:/C=TR/ST=Marmara/O=ozses.net/OU=ozses.net/CN=mail.ozses.net/emailaddress=to...@ozses.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDDjCCAnegAwIBAgIJAMuv6k2+o3WcMA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
VQQGEwJUUjEQMA4GA1UECBMHTWFybWFyYTESMBAGA1UEChMJb3pzZXMubmV0MRIw
EAYDVQQLEwlvenNlcy5uZXQxFzAVBgNVBAMTDm1haWwub3pzZXMubmV0MR4wHAYJ
KoZIhvcNAQkBFg90b2xnYUBvenNlcy5uZXQwHhcNMDkwMjA1MTQzMzUxWhcNMTQw
MjA0MTQzMzUxWjCBkzELMAkGA1UEBhMCVFIxEDAOBgNVBAgTB01hcm1hcmExETAP
BgNVBAcTCElzdGFuYnVsMRIwEAYDVQQKEwlvenNlcy5uZXQxEjAQBgNVBAsTCW96
c2VzLm5ldDEXMBUGA1UEAxMObWFpbC5venNlcy5uZXQxHjAcBgkqhkiG9w0BCQEW
D3RvbGdhQG96c2VzLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1YeN
GnieccAyaTqo0Nd4RAQ9TY/eU6WDgDyDeeHeB67HOTtD0gEeYpvdlWLsB6dytLnv
ZftiVVUwJp5wYhrQ1MWiNWHr2Acsnut9ncCT2BJpJtxCOJjQxeTdgVkivRxEn9Ld
Qdx2wU6bEXTRBpmuFOgCeSNY+c1tLZymjUIvfm8CAwEAAaN7MHkwCQYDVR0TBAIw
ADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUw
HQYDVR0OBBYEFDGp/vdDE4WgdN0Ws1ivaWD3qwcMMB8GA1UdIwQYMBaAFP1Fqtvo
0OcEjrEBAielk/PHdN0xMA0GCSqGSIb3DQEBBQUAA4GBAMLqlIM3h72Nh4X8YmYa
PtBET7/yvZfwkawoOoYe+WabP3cInVQE8PW3NH4ZAo1d3+gjHFJY/3HsLff1f7cd
QL09Eraa3+BXpsnml2Oihz2xvOb5yk2cbSkey2heGolVL0fWngjNXWukPX8J/TpS
0kInfrW+/ImF48nHXA+gY5G1
-----END CERTIFICATE-----
subject=/C=TR/ST=Marmara/L=Istanbul/O=ozses.net/OU=ozses.net/CN=mail.ozses.net/emailaddress=to...@ozses.net
issuer=/C=TR/ST=Marmara/O=ozses.net/OU=ozses.net/CN=mail.ozses.net/emailaddress=to...@ozses.net
---
No client certificate CA names sent
---
SSL handshake has read 1550 bytes and written 351 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 65FEA867DF1A98DAC7E843E4681FA9BE38B1DBD6E5EB4D71DB3B2701E6B38D77
Session-ID-ctx:
Master-Key:
90DD04655DD98A99CD787C482357FB1F818764547C4143FF8923C6790A3898F24B3884F595430BA94F7FED629ADCD193
Key-Arg : None
Start Time: 1233903841
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
250 DSN
>
> p...@rick
Regards,
/Tolga
>
> --
> The Book of Postfix
> <http://www.postfix-book.com>
> saslfinger (debugging SMTP AUTH):
> <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
