On Wed, Mar 20, 2024 at 10:25:26PM +0800, Cowbay via Postfix-users wrote:
> I'm using debian 10, an old debian distribution. The Postfix version is
> 3.4.23.
The base 4.0 release is ~5 years old, but not materially different in
its core TLS functionality. You'd see the same results with the latest
Postfix 3.9.0.
> I found below in the log, it says "certificate verification failed for
> smtp.gmail.com[64.233.189.109]:465: self-signed certificate"
> --------8<--------8<--------8<--------
> Mar 20 21:27:38 SERVER postfix/qmgr[12913]: DC7D0140531:
> from=<myn...@gmail.com>, size=122883, nrcpt=1 (queue active)
> Mar 20 21:27:38 SERVER postfix/smtp[15534]: certificate verification failed
> for smtp.gmail.com[64.233.189.109]:465: self-signed certificate
> Mar 20 21:27:38 SERVER postfix/smtp[15534]: Untrusted TLS connection
> established to smtp.gmail.com[64.233.189.109]:465: TLSv1.3 with cipher
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature
> RSA-PSS (2048 bits) server-digest SHA256
> Mar 20 21:27:38 SERVER postfix/smtp[15534]: DC7D0140531:
> to=<some...@some.com>, relay=smtp.gmail.com[64.233.189.109]:465, delay=2789,
> delays=2789/0.08/0.06/0, dsn=4.7.5, status=deferred (Server certificate not
> trusted)
Perhaps this is a result of not sending SNI?
> I have configured sender_dependent_default_transport_maps so the mail sender
> @gmail.com would use smtp.gmail:[smtp.gmail.com]:465
>
> The smtp.gmail is below
> --------8<--------8<--------8<--------
> smtp.gmail unix - - n - - smtp
> -o smtp_generic_maps=regexp:/etc/postfix/smtp_generic_maps
> -o smtp_header_checks=pcre:/etc/postfix/smtp_header_checks
> -o smtp_helo_name=localhost
> -o smtp_tls_wrappermode=yes
> -o smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
> --------8<--------8<--------8<--------
What is the "security level"? You must have something in
"smtp_tls_policy_maps" to require TLS for this destination. What is the
relevant entry there? What is the main.cf value of
"smtp_tls_security_level"?
> I believe my transport and sasl configurations are well since the
> problem is postfix thinks smtp.gmail.com:465 uses self-signed
> certificate.
No, the self-signed certificate might have been some root CA that isn't
listed in your CAfile. Or perhaps the Gmail load-balancer did present
a self-signed certificate for some reason.
> Do you have idea to solve this problem?
If it isn't reproducible, it is unlikely that much can be determined
long after the fact.
Please share your TLS policy table entry, and when comparing Postfix
against openssl sclient, specify the same IP address as the target host,
at most minutes after observing any failure to verify the chain from
Postfix. For example:
openssl s_client ... -verify_hostname smtp.gmail.com -connect
64.233.189.109:465
You should try with each of "-servername smtp.google.com" and
"-noservername" options.
On Sat, Mar 23, 2024 at 12:20:40AM +0800, Cowbay via Postfix-users wrote:
> Today the problem was vanished. Postfix can connect to smtp.gmail.com:465
> without problem.
There are many datacentres in which smtp.gmail.com might be found, and
they don't necessarily always present the same certificate (rollouts of
new cert chains and software take place earlier in some locations than
others).
> I found that this time the IP address of smtp.gmail.com becomes
> 74.125.23.109 and its certificate is different from last time.
There are many more.
> This means there exists some cases that Postfix will make a mistake to
> detect the certificate as self-signed.
No, Postfix correctly reports what it finds. There was no "mistake",
don't blame the messenger.
> In gmail's case, the mail might eventually be sent as long as the DNS
> resolves to certain IP address that has compatible certificate for Postfix.
>
> Of course it's my bad that use such old Postfix and Debian, sorry.
Postfix 3.4 is a bit dated, but there is no reason to expect any issues.
When I test with s_client, I see the same certificate chain at that
address regardless of whether SNI is used:
$ openssl s_client -servername smtp.gmail.com -verify_hostname
smtp.gmail.com -connect 64.233.189.109:465 < /dev/null
...
Certificate chain
0 s:CN = smtp.gmail.com
i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Feb 26 08:18:13 2024 GMT; NotAfter: May 20 08:18:12 2024 GMT
1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
$ openssl s_client -noservername -verify_hostname smtp.gmail.com -connect
64.233.189.109:465 < /dev/null
...
Certificate chain
0 s:CN = smtp.gmail.com
i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Feb 26 08:17:53 2024 GMT; NotAfter: May 20 08:17:52 2024 GMT
1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
With posttls-finger, I see:
$ posttls-finger -wc -F /etc/ssl/cert.pem -lsecure "[64.233.189.109]:465"
smtp.gmail.com
posttls-finger: 64.233.189.109[64.233.189.109]:465: matched peername:
smtp.gmail.com
posttls-finger: 64.233.189.109[64.233.189.109]:465:
subject_CN=smtp.gmail.com, issuer=GTS CA 1C3, cert
fingerprint=F7:5F:AA:8D:B5:7A:A7:A4:8A:34:0C:C3:12:18:D8:77:3B:A9:F7:75:E1:EC:76:25:76:79:41:B2:AB:46:34:E1,
pkey
fingerprint=E9:BB:66:2D:A5:7C:05:FD:C4:EE:2D:CD:33:9C:32:6D:F7:99:7E:66:29:1F:F0:A4:5E:42:05:57:32:10:7C:96
posttls-finger: Verified TLS connection established to
64.233.189.109[64.233.189.109]:465: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
At this time, nothing that matches your reported symptoms.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
