On 2024/3/20 22:25, Cowbay via Postfix-users wrote:
Below is openssl example:
--------8<--------8<--------8<--------
$ openssl s_client -4 -connect smtp.gmail.com:465 -CAfile /etc/ssl/certs/ca-certificates.crt
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = smtp.gmail.com
verify return:1
---
Certificate chain
  0 s:CN = smtp.gmail.com
    i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
  1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
    i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
  2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
    i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEhzCCA2+gAwIBAgIQCrASK3egcWgQSjqRjoQ8iDANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yNDAyMTkwODE4MTVaFw0yNDA1MTMw
ODE4MTRaMBkxFzAVBgNVBAMTDnNtdHAuZ21haWwuY29tMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEzMkkeWMHpTkBU1wI2rgLq8jtzauypsQYFrc52brXD+yH50u3
0cVzi6ejSjhGni0d7fWxo+A4R91kOrCSsYDwYqOCAmcwggJjMA4GA1UdDwEB/wQE
AwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBRaOURu5t91CGymCb0ym2q68LcxVzAfBgNVHSMEGDAWgBSKdH+vhc3ulc09nNDi
RhTzcTUdJzBqBggrBgEFBQcBAQReMFwwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3Nw
LnBraS5nb29nL2d0czFjMzAxBggrBgEFBQcwAoYlaHR0cDovL3BraS5nb29nL3Jl
cG8vY2VydHMvZ3RzMWMzLmRlcjAZBgNVHREEEjAQgg5zbXRwLmdtYWlsLmNvbTAh
BgNVHSAEGjAYMAgGBmeBDAECATAMBgorBgEEAdZ5AgUDMDwGA1UdHwQ1MDMwMaAv
oC2GK2h0dHA6Ly9jcmxzLnBraS5nb29nL2d0czFjMy9mVkp4YlYtS3Rtay5jcmww
ggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgDuzdBk1dsazsVct520zROiModGfLzs
3sNRSFlGcR+1mwAAAY3AqKz3AAAEAwBHMEUCIQDODj3d6tB3O52F9JGeHcoQHvHa
slsfd24LzJkh4vaT8QIgRYpJ5/KtmHRedvtIMpk5cphz7YQtNR9xCJqS/HZp+RkA
dgDatr9rP7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAY3AqK5zAAAEAwBH
MEUCIGnYz1wq87LoxyEFmfNJMUpu3tbe+SoXEICpiSMb0QT2AiEA6RfPUZfe+KL4
d+1tNrMI7JcbS/7i1iluGfg7i7qvAzQwDQYJKoZIhvcNAQELBQADggEBAAedT7Wd
Wf65c+210Rukhm/D3Gpku3QsYzo0fnAgGP4pTaH1w9DZN9YUSOoxlsfxBdldDdjy
OBTOyf/anQCZGyTb6RTJcCDq39xRiDBxp/S5p/hOhSMqezjQkj4r+dNg3yBMQ9vM
YVXjxQMNkEnBuaqF6gmymJITZ96cEiY7csPUemQp2qvBpwwkTlk09r36tg2llyN8
H2sGfiI+aMP+zTcCl96kBWh4W+dT+C90bjbZQvhzzuUT+sInPtUqcsCQ8ZNUeaY1
cwZlzV1fHFnDfHaMZN+3PO2eVHlbxR97v7FO6wLZYCPmcqlB2sj1uxucMT4tXaE7
pV0EwxaTDEzCaUs=
-----END CERTIFICATE-----
subject=CN = smtp.gmail.com

issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4295 bytes and written 386 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
     Protocol  : TLSv1.3
     Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: BF3720957764F292088B747CAB9764DC744CF9D40FD60FBB743AFADE7B74D5F6
     Session-ID-ctx:
    Resumption PSK: 52E8D459E26A5E1C0005DEAA70BFEAE44CDFA2E884A26709BD4FF34DF08639F74A4AE17B2C400C3EFBC0BD19164458B4
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     TLS session ticket lifetime hint: 172800 (seconds)
     TLS session ticket:
    0000 - 02 c4 7d 37 12 90 68 40-1e 21 95 25 51 12 e3 10 ..}7..h@.!.%Q...     0010 - 40 19 02 72 c3 8c 08 cd-bf dd d0 43 95 8f d0 d3 @..r.......C....     0020 - 42 2f d3 20 a8 56 03 24-74 3e a6 90 bc ac 3c 34   B/. .V.$t>....<4     0030 - f2 54 d5 69 7a 30 88 cb-6d c0 e9 a6 95 56 05 1e .T.iz0..m....V..     0040 - 94 57 e7 46 b8 36 8a fc-19 1e c3 a2 13 9b 52 b8 .W.F.6........R.     0050 - 1c b1 2a b1 5e a0 24 f1-64 5f 43 f2 d8 eb 00 6e ..*.^.$.d_C....n     0060 - f1 93 e3 d3 05 ea 27 fb-e0 77 8d 85 0a 44 09 cb ......'..w...D..     0070 - c2 7a 3b c5 86 40 03 98-eb 60 53 79 1b db 37 90 .z;..@...`Sy..7.     0080 - df 9b 39 5c bf 00 65 ba-09 5e a0 78 f6 f3 0c 44 ..9\..e..^.x...D     0090 - a6 fb c5 86 57 7f 66 11-db 42 6f ba df c5 04 cd ....W.f..Bo.....     00a0 - 88 f5 3b 85 49 f0 89 6e-14 39 72 e1 64 7f e5 26 ..;.I..n.9r.d..&     00b0 - ec da 76 cd 8e c6 22 ea-49 8a 95 0e 50 82 d8 ec ..v...".I...P...     00c0 - ae 79 81 fb 43 e7 88 dd-dd 15 4d 66 c2 b0 6a 3a .y..C.....Mf..j:     00d0 - 12 1f fb cd b9 dc 15 35-49 bd b4 f6 5c 2a 99 1a .......5I...\*..
     00e0 - 7f df 1b ae 54 50 45 4c-cd 6a 25 b7 c3 6e 58 ....TPEL.j%..nX

     Start Time: 1710942237
     Timeout   : 7200 (sec)
     Verify return code: 0 (ok)
     Extended master secret: no
     Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
     Protocol  : TLSv1.3
     Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: FEC69105252A9A97280C6535905211A35F1E8BD333DD40CD4D319136EA1C8F19
     Session-ID-ctx:
    Resumption PSK: 26C383ECC0AD554238EC26AA77E44BCFCCBAF5348735842F45DD76C446E865E886C3EB1438944C6EDCA01ED015EEA8DF
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     TLS session ticket lifetime hint: 172800 (seconds)
     TLS session ticket:
    0000 - 02 c4 7d 37 12 90 68 40-1e 21 95 25 51 12 e3 10 ..}7..h@.!.%Q...     0010 - 55 a6 26 b6 38 07 2d 71-0b fe b1 91 f4 61 48 35 U.&.8.-q.....aH5     0020 - 3b ac b8 66 dd f3 f1 f2-e5 bc aa b9 2b e8 b2 56 ;..f........+..V     0030 - ad 3b 8c 9b 80 2b 02 73-4a 2d 78 57 ec 04 42 2c .;...+.sJ-xW..B,     0040 - bc 8d 12 01 36 62 36 33-63 19 4e 10 f8 fe b4 86 ....6b63c.N.....     0050 - 3b 84 c8 e4 d4 ed e2 32-ab b6 92 98 e6 4b 0f 12 ;......2.....K..     0060 - d4 39 96 d0 ef bd 5e bf-5c a7 67 58 d0 93 27 fa .9....^.\.gX..'.     0070 - 04 49 08 bf fa db 3e 16-5a 14 2b 26 e6 23 4e 17 .I....>.Z.+&.#N.     0080 - d4 8f bf c0 29 27 1e 06-eb 4a 17 94 8f 0b 4a 99 ....)'...J....J.     0090 - 0a e6 5b 84 a9 70 65 6e-8c ae b4 34 da e4 9e fd ..[..pen...4....     00a0 - 49 8a 19 4c 04 03 75 70-70 8f f9 71 cd f7 6e fc I..L..upp..q..n.     00b0 - 75 37 30 48 ee 5e 7f 93-84 20 0d 0e 1b e4 f3 76   u70H.^... .....v     00c0 - 58 d7 47 a5 68 4f 2f da-9b 4d f4 52 59 42 c9 1b X.G.hO/..M.RYB..     00d0 - 74 8f d6 fe 90 66 67 22-06 3e 07 2b b1 e7 25 0e t....fg".>.+..%.
     00e0 - 92 aa ac 10 54 50 45 27-bd db 9f ec a7 31 f2 ....TPE'.....1.

     Start Time: 1710942237
     Timeout   : 7200 (sec)
     Verify return code: 0 (ok)
     Extended master secret: no
     Max Early Data: 0
---
read R BLOCK
220 smtp.gmail.com ESMTP b10-20020a170903228a00b001e026392e9csm6415371plh.51 - gsmtp
Q
DONE
--------8<--------8<--------8<--------

Today the problem was vanished. Postfix can connect to smtp.gmail.com:465 without problem.

I found that this time the IP address of smtp.gmail.com becomes 74.125.23.109 and its certificate is different from last time.

Below is the openssl output
--------8<--------8<--------8<--------
$ openssl s_client -4 -connect smtp.gmail.com:465 -CAfile /etc/ssl/certs/ca-certificates.crt
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = smtp.gmail.com
verify return:1
---
Certificate chain
 0 s:CN = smtp.gmail.com
   i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
 1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEiTCCA3GgAwIBAgIRALR6ngM9HYlJCZcoB18dRc0wDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjQwMjI2MDgxODEzWhcNMjQwNTIw
MDgxODEyWjAZMRcwFQYDVQQDEw5zbXRwLmdtYWlsLmNvbTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABOAzxdX8tP8176jNsTzGczbZfPwmSFrSsVhW11ay5o8E+1z0
ZEvs8kPMlfk7yGhPMQYqXN/GYc0N/nMhcu9QQA6jggJoMIICZDAOBgNVHQ8BAf8E
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUdwylTyKgssmC40qBoMtuxzBfxggwHwYDVR0jBBgwFoAUinR/r4XN7pXNPZzQ
4kYU83E1HScwagYIKwYBBQUHAQEEXjBcMCcGCCsGAQUFBzABhhtodHRwOi8vb2Nz
cC5wa2kuZ29vZy9ndHMxYzMwMQYIKwYBBQUHMAKGJWh0dHA6Ly9wa2kuZ29vZy9y
ZXBvL2NlcnRzL2d0czFjMy5kZXIwGQYDVR0RBBIwEIIOc210cC5nbWFpbC5jb20w
IQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8BgNVHR8ENTAzMDGg
L6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxYzMvUU92SjBOMXNUMkEuY3Js
MIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcASLDja9qmRzQP5WoC+p0w6xxSActW
3SyB2bu/qznYhHMAAAGN5LVJAQAABAMASDBGAiEA887GR33Lnbk7OdhNvY0JuviF
RC/coFiSxPMBHTUq2E0CIQC/j0ZuhntRDcV7FOPLJBwjtzQ8jPu5e5kKGdDTJm0s
VwB2AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0AAABjeS1SP4AAAQD
AEcwRQIhANHCD7H+tThopjmC3n7iZww4tfUUJ2mr7JvFJs1r3N2IAiBeSTOpvPAl
IL6cu0nmXh/rn8QHI1Y6pSYDvFH+v16nLjANBgkqhkiG9w0BAQsFAAOCAQEAW9My
UL3bH1n9oJ5Qhe/nND0mEZ37INDfBUqxME5HvYLZX7vI/OBZDx9S8JkudwlJChhq
/vuAfxAOQMBumw8Va1GaY6cnfFEmyQqubfOlBtNapZrU2HBScSfovcEmA4kJGKXv
GBhaCVCGEHdzZSo9GpGyIm3vAbfaSnW+U9O2WXunkMaKrm2m9XnbvIInZUTxKMov
KkKTQKdrBt5QPbhKWaDjM2ud0iyS72qxL4I+YMoUIjB9yGCUOTSsrJqnw6jCzP11
We+0a5bki4ebNZMP+EdKA4B+0eNByY15sBaD7je3Kwc8Sb2ZZR3D/aTW7HxkkNXv
kOgOi4Ja0+B5jRZFVw==
-----END CERTIFICATE-----
subject=CN = smtp.gmail.com

issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4296 bytes and written 386 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
Session-ID: 2239A2310BF7869FEC0A2A9E1F0A731E71E3BFA64838615F3DE030B29F351E57
    Session-ID-ctx:
Resumption PSK: 82A9F6BCC83C934B9FDF9C96E1237C1A7912A21DDE753130B0655DC26824621AB4E79A98EC1BCC3709468C5255A0BDBC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 172800 (seconds)
    TLS session ticket:
0000 - 02 e8 f0 00 54 e4 cf 22-15 fa c6 a8 98 07 aa 50 ....T..".......P 0010 - db 1c 2a 60 85 16 ec d6-2e 85 34 3c 69 4e 71 85 ..*`......4<iNq. 0020 - ae 6a 95 6b 84 52 75 75-71 e3 d8 04 87 9f ac 60 .j.k.Ruuq......` 0030 - a0 14 ab 5b d9 e9 36 a5-59 e5 49 3b f5 91 91 e3 ...[..6.Y.I;.... 0040 - fc 1b 95 76 14 c1 c8 19-31 8f 83 b8 d1 10 a0 6b ...v....1......k 0050 - 7a c5 fb 72 25 5b d1 98-2c 6c 9d 2f 53 29 ad 95 z..r%[..,l./S).. 0060 - 75 13 cc 8f 69 d5 2e ca-72 05 c1 ea c8 de e1 71 u...i...r......q 0070 - c2 b0 d3 d3 9e 50 8e e7-d4 00 2e c6 c7 8b 60 ab .....P........`. 0080 - 6e 64 65 14 ec 5a ac 0c-0b c5 19 7a 60 ac ad 9f nde..Z.....z`... 0090 - 74 97 0c 4e 76 0b 11 81-d7 48 0f 01 a7 9a 08 5f t..Nv....H....._ 00a0 - 2b 42 8c a6 e0 0e 22 3f-d1 c5 a6 0a e7 f2 f5 3e +B...."?.......> 00b0 - 66 0b de e4 db 0b 15 fb-81 a9 cd 67 81 9a b2 a2 f..........g.... 00c0 - ca 9b ca 5a 60 f9 46 cd-b8 b8 aa dd 0c d0 62 40 ...Z`.F.......b@ 00d0 - a2 3e 0a b6 18 c9 7b ee-68 60 25 1d 00 39 4b fc .>....{.h`%..9K. 00e0 - e9 4d cb 5b 54 50 45 86-a1 32 4e 39 72 53 f7 .M.[TPE..2N9rS.

    Start Time: 1711123775
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
Session-ID: 67B3FE4DF347A850DED097D91D0F1E3EBCA2AC934EEF43302C621365FDD32A60
    Session-ID-ctx:
Resumption PSK: 8332109BB6EF42E98E90AEA56A65EDE58DCD6100006E7955C1CFC68BC9C3513BC2EFE7B6AD12F8A6FC238B9BE78FD82F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 172800 (seconds)
    TLS session ticket:
0000 - 02 e8 f0 00 54 e4 cf 22-15 fa c6 a8 98 07 aa 50 ....T..".......P 0010 - 4b c8 0f 89 7a 8b fc 27-3a 67 b7 4f 2e f9 b7 df K...z..':g.O.... 0020 - c1 ca c2 50 da 71 9d b3-26 3b a4 d9 c4 71 9a 61 ...P.q..&;...q.a 0030 - 9d ed dc be a0 21 60 2e-9b 67 89 c4 4d d4 6f 5e .....!`..g..M.o^ 0040 - cd eb fa 82 96 62 61 78-01 c4 03 1d 7e d7 ef 13 .....bax....~... 0050 - b5 d4 b8 a1 2c 38 dc 4b-c8 ca c8 4c b7 8c e5 7a ....,8.K...L...z 0060 - 7c 94 35 4a c1 ab c4 1c-49 6c df 39 7c fd 3a 5c |.5J....Il.9|.:\ 0070 - 1e 09 fc cf 3d 98 87 53-c0 8c 79 f3 f3 a1 61 06 ....=..S..y...a. 0080 - f1 63 9b 95 3a 93 9d f2-a3 ad d5 68 41 79 be eb .c..:......hAy.. 0090 - e2 1c 2d 62 42 99 9a 48-b6 ff 43 cc 75 43 6f 3d ..-bB..H..C.uCo= 00a0 - 7c b4 cc 07 e1 e1 68 a6-cf aa 48 c7 d8 6e 3a 2e |.....h...H..n:. 00b0 - 1a b2 88 39 e2 43 bf b1-71 40 74 9d 53 57 2a 3e ...9.c...@t.sw*> 00c0 - 8a 48 42 2e f7 77 b4 16-80 bb c3 d3 19 34 15 bb .HB..w.......4.. 00d0 - 1e 36 e7 58 8b c2 f8 b8-5b ce 90 5d 0a 9f 53 0b .6.X....[..]..S. 00e0 - 61 69 bf a0 54 50 45 c1-f8 12 fc 09 67 a8 36 ai..TPE.....g.6

    Start Time: 1711123775
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
220 smtp.gmail.com ESMTP z9-20020a170902708900b001db8145a1a2sm2076442plk.274 - gsmtp
Q
DONE
--------8<--------8<--------8<--------

This means there exists some cases that Postfix will make a mistake to detect the certificate as self-signed.

In gmail's case, the mail might eventually be sent as long as the DNS resolves to certain IP address that has compatible certificate for Postfix.

Of course it's my bad that use such old Postfix and Debian, sorry.

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to