Hi,There is something strange with delivering mail from my mailserver to github, it complains about the github server certificate not verified on an outgoing TLS connection.
My main.cf contains the same certs-path for smtp and smtpd TLS connections:
---snip--- # grep CApath main.cf smtp_tls_CApath = /etc/ssl/certs smtpd_tls_CApath = /etc/ssl/certs ---snip--- What I see in the failure case is: ---snip---Nov 30 11:18:40 mailgate postfix/tlsproxy[98300]: CONNECT to [140.82.112.31]:25 Nov 30 11:18:40 mailgate postfix/tlsproxy[98300]: server certificate verification failed for in-9.smtp.github.com[140.82.112.31]:25: num=62:hostname mismatch Nov 30 11:18:40 mailgate postfix/tlsproxy[98300]: Untrusted TLS connection established to in-9.smtp.github.com[140.82.112.31]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 Nov 30 11:18:40 mailgate postfix/smtp[98296]: Untrusted TLS connection established to in-9.smtp.github.com[140.82.112.31]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256Nov 30 11:18:40 mailgate postfix/smtp[98296]: 43213239F0: to=<asdfsadffaiowuerskjdfnla...@reply.github.com>, relay=in-9.smtp.github.com[140.82.112.31]:25, delay=180939, delays=180930/4/5.4/0, dsn=4.7.5, status=deferred (Server certificate not verified) Nov 30 11:18:40 mailgate postfix/tlsproxy[98300]: DISCONNECT [140.82.112.31]:25
---snip---The github cert is signed by "DigiCert TLS RSA SHA256 2020 CA1" (included in the cert-chain the server sends). This is signed by "DigiCert Global Root CA" which is not in the chain, but in my trust store (which is configured as CApath in postfix as can be seen above). The DigiCert Global Root CA is in the trust store with hash /etc/ssl/certs/3513523f.0. What postfix tries to lookup is /etc/ssl/certs/e83d98dd.0, which doesn't exist.
Other outgoing TLS connections work (since years), so the generic TLS setup is correct:
---snip---Nov 30 11:28:03 mailgate postfix/tlsproxy[99594]: CONNECT to [96.47.72.80]:25 Nov 30 11:28:04 mailgate postfix/tlsproxy[99594]: Verified TLS connection established to mx1.freebsd.org[96.47.72.80]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (prime256v1) client-digest SHA256 Nov 30 11:28:04 mailgate postfix/smtp[99562]: Verified TLS connection established to mx1.freebsd.org[96.47.72.80]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (prime256v1) client-digest SHA256 Nov 30 11:28:06 mailgate postfix/smtp[99562]: E93042202C: to=<netch...@freebsd.org>, relay=mx1.freebsd.org[96.47.72.80]:25, delay=28, delays=8.4/6.9/11/1.1, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4SgspY18rqz3KXr) Nov 30 11:28:06 mailgate postfix/tlsproxy[99594]: DISCONNECT [96.47.72.80]:25
---snip---Debugging the github issue with more tls verbosity (note that the server certs is presented two times, once at the beginning, once at the end, one time with verify=0, one time with verify=1, whatever this means here):
---snip---Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: SSL_connect:TLSv1.3 read encrypted extensions Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: in-8.smtp.github.com[140.82.114.32]:25: depth=0 verify=0 subject=/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=*.smtp.github.com Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: in-8.smtp.github.com[140.82.114.32]:25: depth=2 verify=1 subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: in-8.smtp.github.com[140.82.114.32]325C depth=1 verify=1 subject=/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1 Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: in-8.smtp.github.com[140.82.114.32]:25: depth=0 verify=1 subject=/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=*.smtp.github.com
...Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: server certificate verification failed for in-8.smtp.github.com[140.82.114.32]:25: num=62:hostname mismatch Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: in-8.smtp.github.com[140.82.114.32]:25: subject_CN=*.smtp.github.com, issuer_CN=DigiCert TLS RSA SHA256 2020 CA1, fingerprint=4B:7B:90:8B:F3:F3:28:AE:36:C2:D4:04:91:07:32:90:A5:EC:39:54:10:C3:40:E0:93:D0:3B:43:36:A0:45:1B, pkey_fingerprint=8E:41:0A:98:75:E4:25:83:7A:02:32:67.6A.30:A4:13:7C:E3:C7:61:16:99:E9:CF:3B:0F:58:02:72:FA:F3:48
---snip---With the same tls verbosity the FreeBSD.org server above does not provide the server cert two times.
If I now use posttls-finger I'm able to get a verified connection if I specify -P to the cert-store:
---snip--- # posttls-finger -c reply.github.composttls-finger: certificate verification failed for in-10.smtp.github.com[140.82.112.32]:25: untrusted issuer /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA posttls-finger: in-10.smtp.github.com[140.82.112.32]:25: subject_CN=*.smtp.github.com, issuer_CN=DigiCert TLS RSA SHA256 2020 CA1, fingerprint=4B:7B:90:8B:F3:F3:28:AE:36:C2:D4:04:91:07:32:90:A5:EC:39:54:10:C3:40:E0:93:D0:3B:43:36:A0:45:1B, pkey_fingerprint=8E:41:0A:98:75:E4:25:83:7A:02:32:67:6A:30:A4:13:7C:E3:C7:61:16:99:E9:CF:3B:0F:58:02:72:FA:F3:48 posttls-finger: Untrusted TLS connection established to in-10.smtp.github.com[140.82.112.32]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
# posttls-finger -c -P /etc/ssl/certs reply.github.composttls-finger: in-7.smtp.github.com[140.82.114.31]:25: matched peername: *.smtp.github.com posttls-finger: in-7.smtp.github.com[140.82.114.31]:25: subject_CN=*.smtp.github.com, issuer_CN=DigiCert TLS RSA SHA256 2020 CA1, fingerprint=4B:7B:90:8B:F3:F3:28:AE:36:C2:D4:04:91:07:32:90:A5:EC:39:54:10:C3:40:E0:93:D0:3B:43:36:A0:45:1B, pkey_fingerprint=8E:41:0A:98:75:E4:25:83:7A:02:32:67:6A:30:A4:13:7C:E3:C7:61:16:99:E9:CF:3B:0F:58:02:72:FA:F3:48 posttls-finger: Verified TLS connection established to in-7.smtp.github.com[140.82.114.31]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
---snip---What is wrong here that postfix doesn't establish a trusted connection to the github mailservers when posttls-finger is able to do that with the same cert store?
Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
