Victor, On Mon, 2024-12-09 at 19:46 +1100, Viktor Dukhovni via Postfix-users wrote: > On Mon, Dec 09, 2024 at 08:28:55AM +0100, Tobi via Postfix-users > wrote: > > > since this weekend we have the issue that our postfix seems to be > > unable to verify TLS certs presented by Microsoft. We get > > > > > Server certificate not verified > > Is that preventing mail delivery, or just noise in the logs? not just noise. It prevents our delivery and finally we bounce back to sender with "expired" > > > openssl verify -verbose <(echo | openssl s_client -connect \ > > 52.101.73.19:25 -starttls smtp 2>/dev/null) > > This does not set the "servername" (SNI extension hostname), so > you'll > get the defaUlt certificate, which may not be the "right one". > > > > C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, > > > CN = mail.protection.outlook.com > > > error 20 at 0 depth lookup: unable to get local issuer > > > certificate > > > error /dev/fd/63: verification failed > > It would have been more useful if you had posted the certificate > chain > instead. Assuming you were actually tryign to get to something like: > "<some-customer-com.mail.protection.outlook.com>. Probing that we > see a chain with an EE and issuer certificate: > > $ posttls-finger -cC -lverify -Lsummary "nist- > gov.mail.protection.outlook.com" 2>/dev/null > > /tmp/msft-chain.pem > > $ openssl crl2pkcs7 -nocrl -certfile /tmp/msft-chain.pem | > openssl pkcs7 -print_certs -noout > subject=C = US, ST = Washington, L = Redmond, O = Microsoft > Corporation, CN = mail.protection.outlook.com > issuer=C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA- > 1 > > subject=C = US, O = DigiCert Inc, CN = DigiCert Cloud Services > CA-1 > issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = > DigiCert Global Root CA > thanks for the hint with posttls-finger. Using that I can see that the certificate gets validated properly
> openssl verify -show_chain -untrusted <(posttls-finger -cC -lverify -Lsummary "leha-ch.mail.protection.outlook.com" 2>/dev/null) <(posttls-finger -cC -lverify -Lsummary "leha- ch.mail.protection.outlook.com" 2>/dev/null) /dev/fd/62: OK Chain: depth=0: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = mail.protection.outlook.com (untrusted) depth=1: C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1 (untrusted) depth=2: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA does this mean that postfix does not use SNI and therefore gets the default cert which also openssl confirms that it cannot be validated? > This verifies against the Fedora 41 system trust store, via the > "Digicert > Global Root CA" trust anchor: > > $ openssl verify -show_chain -untrusted /tmp/msft-chain.pem > /tmp/msft-chain.pem > /tmp/msft-chain.pem: OK > Chain: > depth=0: C = US, ST = Washington, L = Redmond, O = Microsoft > Corporation, CN = mail.protection.outlook.com (untrusted) > depth=1: C = US, O = DigiCert Inc, CN = DigiCert Cloud Services > CA-1 (untrusted) > depth=2: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = > DigiCert Global Root CA > > The certs in question are below my signature. Unless the problem was > fixed between your post and my reply. Things seem OK on the MSFT > end. > Cheers tobi _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
