On Mon, Dec 09, 2024 at 08:28:55AM +0100, Tobi via Postfix-users wrote:
> since this weekend we have the issue that our postfix seems to be
> unable to verify TLS certs presented by Microsoft. We get
>
> > Server certificate not verified
Is that preventing mail delivery, or just noise in the logs?
> openssl verify -verbose <(echo | openssl s_client -connect \
> 52.101.73.19:25 -starttls smtp 2>/dev/null)
This does not set the "servername" (SNI extension hostname), so you'll
get the defaUlt certificate, which may not be the "right one".
> > C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN =
> > mail.protection.outlook.com
> > error 20 at 0 depth lookup: unable to get local issuer certificate
> > error /dev/fd/63: verification failed
It would have been more useful if you had posted the certificate chain
instead. Assuming you were actually tryign to get to something like:
"<some-customer-com.mail.protection.outlook.com>. Probing that we
see a chain with an EE and issuer certificate:
$ posttls-finger -cC -lverify -Lsummary
"nist-gov.mail.protection.outlook.com" 2>/dev/null
> /tmp/msft-chain.pem
$ openssl crl2pkcs7 -nocrl -certfile /tmp/msft-chain.pem |
openssl pkcs7 -print_certs -noout
subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN
= mail.protection.outlook.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
subject=C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root CA
This verifies against the Fedora 41 system trust store, via the "Digicert
Global Root CA" trust anchor:
$ openssl verify -show_chain -untrusted /tmp/msft-chain.pem
/tmp/msft-chain.pem
/tmp/msft-chain.pem: OK
Chain:
depth=0: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation,
CN = mail.protection.outlook.com (untrusted)
depth=1: C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
(untrusted)
depth=2: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root CA
The certs in question are below my signature. Unless the problem was
fixed between your post and my reply. Things seem OK on the MSFT end.
--
Viktor.
$ openssl crl2pkcs7 -nocrl -certfile /tmp/msft-chain.pem |
openssl pkcs7 -print_certs
subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN =
mail.protection.outlook.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
-----BEGIN CERTIFICATE-----
MIIJnzCCCIegAwIBAgIQBM8LWp1nqH4zl6yjIzf1ODANBgkqhkiG9w0BAQsFADBL
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSUwIwYDVQQDExxE
aWdpQ2VydCBDbG91ZCBTZXJ2aWNlcyBDQS0xMB4XDTI0MDkxODAwMDAwMFoXDTI1
MDkxNzIzNTk1OVowejELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
bjEkMCIGA1UEAxMbbWFpbC5wcm90ZWN0aW9uLm91dGxvb2suY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvc99UgnaTq4fC4Hq3bklkIUtW0ht0oqk
PtFH0X9HE7Ljlos8TTIhhgqsIGGTbWuhp5PJSSkIPTrQFBmrDJ6JL0OxKjmhqYft
RkmTwT2+t+OYsEohz4kic6fmiB1ktpFkrXgwk+Tu5o0BL7v00mOzrk6Di4X/hKoe
9CElsV4LWOi9PoxSufTxzwGGfoxJ2C6Ozs5t3OWlg8R2qbPKB4u5ZAhtdKIwmlMt
IRP1MwkuuLe2s4iayuELcHMSTtSXAOzwmPHMVJrT+pNuQ2K1RSVBpD6BWyxMswzt
B5u0n467pOpdQt/G34Z6XKsvNGNFQXfX9ivOpoqT3vL6xQc9vTxNcQIDAQABo4IG
TjCCBkowHwYDVR0jBBgwFoAU3VHQojFzqXOuj7QBfl2MV8uf8PcwHQYDVR0OBBYE
FID2pktuAi61jnfIyUZuLcUvHqxhMIIC+QYDVR0RBIIC8DCCAuyCG21haWwucHJv
dGVjdGlvbi5vdXRsb29rLmNvbYIVKi5tYWlsLmVvLm91dGxvb2suY29tgh0qLm1h
aWwucHJvdGVjdGlvbi5vdXRsb29rLmNvbYIcbWFpbC5tZXNzYWdpbmcubWljcm9z
b2Z0LmNvbYILb3V0bG9vay5jb22CHCoub2xjLnByb3RlY3Rpb24ub3V0bG9vay5j
b22CEyoucGFteDEuaG90bWFpbC5jb22CHCoubWFpbC5wcm90ZWN0aW9uLm91dGxv
b2suZGWCDioubXgubWljcm9zb2Z0ghMqLmstdjEubXgubWljcm9zb2Z0ghMqLm4t
djEubXgubWljcm9zb2Z0ghMqLnEtdjEubXgubWljcm9zb2Z0ghMqLnktdjEubXgu
bWljcm9zb2Z0ghMqLmQtdjEubXgubWljcm9zb2Z0ghMqLmUtdjEubXgubWljcm9z
b2Z0ghMqLmEtdjEubXgubWljcm9zb2Z0ghMqLnItdjEubXgubWljcm9zb2Z0ghMq
LnctdjEubXgubWljcm9zb2Z0ghMqLnAtdjEubXgubWljcm9zb2Z0ghMqLngtdjEu
bXgubWljcm9zb2Z0ghMqLmotdjEubXgubWljcm9zb2Z0ghMqLnMtdjEubXgubWlj
cm9zb2Z0ghMqLmMtdjEubXgubWljcm9zb2Z0ghMqLmItdjEubXgubWljcm9zb2Z0
ghMqLmYtdjEubXgubWljcm9zb2Z0ghMqLmktdjEubXgubWljcm9zb2Z0ghMqLnQt
djEubXgubWljcm9zb2Z0ghMqLm0tdjEubXgubWljcm9zb2Z0ghMqLm8tdjEubXgu
bWljcm9zb2Z0ghMqLmctdjEubXgubWljcm9zb2Z0ghMqLnYtdjEubXgubWljcm9z
b2Z0ghMqLmgtdjEubXgubWljcm9zb2Z0ghMqLmwtdjEubXgubWljcm9zb2Z0ghMq
LnUtdjEubXgubWljcm9zb2Z0MD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYB
BQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGNBgNVHR8EgYUwgYIw
P6A9oDuGOWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydENsb3VkU2Vy
dmljZXNDQS0xLWcxLmNybDA/oD2gO4Y5aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0Q2xvdWRTZXJ2aWNlc0NBLTEtZzEuY3JsMHwGCCsGAQUFBwEBBHAw
bjAlBggrBgEFBQcwAYYZaHR0cDovL29jc3B4LmRpZ2ljZXJ0LmNvbTBFBggrBgEF
BQcwAoY5aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0Q2xvdWRT
ZXJ2aWNlc0NBLTEuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEEAdZ5AgQCBIIB
bgSCAWoBaAB2ABLxTjS9U3JMhAYZw48/ehP457Vih4icbTAFhOvlhiY6AAABkgUr
HhgAAAQDAEcwRQIhAP30Wx8SLPKfdw0RKjN994pXMvga1N/W4cyjqhSzVMtAAiBa
6l1i2j2K9dJXOA7I9l6E218Ho0fd4QiM7Yu9LmgCkgB1AObSMWNAd4zBEEEG13G5
zsHSQPaWhIb7uocyHf0eN45QAAABkgUrHd4AAAQDAEYwRAIgUkVoXxUQCRnmh833
MmQe2H0nMcaAwV74izsPe0scAxECIGCnTb9sfmqAVBGwagBc5u7sp0EliewySyO4
nhIsn/jyAHcAzPsPaoVxCWX+lZtTzumyfCLphVwNl422qX5UwP5MDbAAAAGSBSsd
1AAABAMASDBGAiEAuNL3G2JGv3ywkOadFlDGcwvBnQdK3jsQCXg4V6DtQSYCIQCs
MMpOY7eCnnIRbz/Na9GyjCfnZaCJIq5WoeFJazE7GTANBgkqhkiG9w0BAQsFAAOC
AQEAZVstVOJ9PGgg8BOlGD23ifMDSd3aIeeJVP/1LuQNrYxPDlo+1F9V7YFLTUrT
r3RgFdAmVh21fe/I1/iuGBDfAgq7wQVJdMYqvnhVhtGBVelEU9ey4Fj2N7eHBz8g
wM26P3GIpeEBxOLrFkrFF18s7LOEB5f0nxGhdAMxdVBh+z6VB668Y1FPmkvp9UQQ
EmlJdlDNbHgPQvIh/1se39TCGi5/uxDZttJSe+D67W1v4dBvu/N0cAbD/vN2Q2wq
24vAvnw6DwfCvfOIN0x1VzQhQwlIrgJLBH4GOFi/KxOw4X2P9bJ5cC9jT0l5/V5K
1P98W5eP3I2YWc5VxfaEbL9RDA==
-----END CERTIFICATE-----
subject=C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global
Root CA
-----BEGIN CERTIFICATE-----
MIIE5jCCA86gAwIBAgIQDxcaSMbyI4CSGM0u1t3A6DANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0yMDA5MjUwMDAwMDBaFw0zMDA5MjQyMzU5NTlaMEsxCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJTAjBgNVBAMTHERpZ2lDZXJ0IENsb3Vk
IFNlcnZpY2VzIENBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR
rfaHFHlUJ1fHLwVoPJs8zWfsRRAshPKkR8TZU0JFCbvk/jPB17xGL9GL5re1Z3h8
anC+/bjltlTPTF6suCJ0c1UpCHPIZPfQlQkOeYNQv1/11MybQmGOgAS5QarOThKZ
m6zWxb5bAnO1FqSrcWLUmOpAOYWm9rsv6OeHwov2nDLN7Pg+v4nndCOCS9rqv3Om
JTz9v6nlaP/4MKJgxzsuo/PFfzs7/Q8xoXx0D9C/FMS9aPGl52un35sAfkYlTubo
E/P2BsfUbwsnIEJdYbw/YNJ8lnLJfLCL//lIBVME+iKvt81RXW3dkHQD8DNP9MfA
PlZGR69zIIvcej6j8l3/AgMBAAGjggGuMIIBqjAdBgNVHQ4EFgQU3VHQojFzqXOu
j7QBfl2MV8uf8PcwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUwDgYD
VR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjASBgNV
HRMBAf8ECDAGAQH/AgEAMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0
cDovL29jc3AuZGlnaWNlcnQuY29tMEAGCCsGAQUFBzAChjRodHRwOi8vY2FjZXJ0
cy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxSb290Q0EuY3J0MHsGA1UdHwR0
MHIwN6A1oDOGMWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2Jh
bFJvb3RDQS5jcmwwN6A1oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp
Q2VydEdsb2JhbFJvb3RDQS5jcmwwMAYDVR0gBCkwJzAHBgVngQwBATAIBgZngQwB
AgEwCAYGZ4EMAQICMAgGBmeBDAECAzANBgkqhkiG9w0BAQsFAAOCAQEANJE52TD/
zFvmYQGp0P3ntVzclyqsN7Aga/s2SmhGoow32hcBWc6OVgQILYjXndBwRdTn6/97
nb+5a0sEfMoc7mto2ALmLim+XgZ6bg2nQX1A2lWYUoFou0YDHzGsKUNcLQOjoJU4
t9UMxv6+Je7RB77+j3mVmsNxBF13Q+LEHWiY+IJSazVqv7w73izbAFo6cF9sK0hp
qdmSKdB/MNfnT9YF4/WYlyCwFhpaK3mPuU2XiOzGswPhMMRwgawnk4XTNemtHPSq
fP/JzQHsefL75Tx5c8tHJAcp3C/QD+JcUUHocUPuW62x79wO9pNl5N5U4jIVFa4k
x6pNQytYvwMPeg==
-----END CERTIFICATE-----
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
