Good morning gentlefolks,
I am trying to figure out where my error is, using MTA-STS for virtually hosted
domains on my postfix server.
Environment: ubuntu 24, pf3.11snap (or pf3.10snap same), apache2, letsencrypt
certs, bind9 on same machine
The main server is sonne.floppy.org, all other domains are virtual domains.
Taking the example of renraku-software.de. Mailhardener replies the domain is
correctly setup for MTA-STS (but in testing mode).
root@sonne:/srv/www/renraku.org/html/.well-known# cat mta-sts.txt
version: STSv1
mode: testing
mx: sonne.floppy.org
mx: theater.piekert.de
mx: butterfly.post-peine.de
max_age: 86400
The bind zone file includes
MX 5 sonne.floppy.org.
MX 10 butterfly.post-peine.de.
MX 20 theater.piekert.de.
...
mta-sts.renraku-software.de. IN CNAME sonne.floppy.org.
_mta-sts.renraku-software.de. IN TXT "v=STSv1; id=20250206132101"
The apache mta-sts.txt is served by sonne in a virtual_host with a letsencrypt
cert to mta-sts.renraku-software.de (and 2 other renraku domains).
So in principle, all should be setup and ready.
Now. I have 2 auxillary servers (same setup), acting as MX and secondary DNS
servers, postfix config is nearly similar (host specific differences like
virtual, etc.).
smtp_tls_policy_maps = btree:$meta_directory/tls_nach_ziel
with
renraku-software.de secure
as directive.
testmail to e.g.postmaster@renraku-software delivers:
MX 2 is the example sending host itself.
The server MX 1
Feb 21 08:19:20 theater postfix/local[536980]: 257561229F34:
to=<administra...@theater.piekert.de>, relay=local, delay=1.6,
delays=1.6/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Feb 21 08:19:20 theater postfix/smtp[538381]: server certificate verification
failed for sonne.floppy.org[85.215.122.93]:25: num=62:hostname mismatch
Feb 21 08:19:20 theater postfix/smtp[538381]: Untrusted TLS connection
established to sonne.floppy.org[85.215.122.93]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature
RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits)
client-digest SHA256
Feb 21 08:19:20 theater postfix/smtp[538381]: TLSRPT: status=failure,
domain=renraku-software.de, receiving_mx=sonne.floppy.org[85.215.122.93],
failure_type=certificate_not_trusted
Feb 21 08:19:20 theater postfix/smtp[538381]: 257561229F34: Server certificate
not verified
Feb 21 08:19:20 theater postfix/smtp[538381]: server certificate verification
failed for sonne.floppy.org[2a01:239:0:be::1]:25: num=62:hostname mismatch
Feb 21 08:19:20 theater postfix/smtp[538381]: Untrusted TLS connection
established to sonne.floppy.org[2a01:239:0:be::1]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature
RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits)
client-digest SHA256
Feb 21 08:19:20 theater postfix/smtp[538381]: TLSRPT: status=failure,
domain=renraku-software.de, receiving_mx=sonne.floppy.org[2a01:239:0:be::1],
failure_type=certificate_not_trusted
Feb 21 08:19:20 theater postfix/smtp[538381]: 257561229F34: Server certificate
not verified
Since delivery via MX1 is not possible, MX2 is the source, delivery to MX 3 is
attempted, but shows the same behaviour as MX 1 and fails message delivery.
So it comes down to
num=62:hostname mismatch
Now that is the main issue for me, what hostname is EXPECTED *in the cert*?!
Is the apache served certificate of the *recipient* domain expected? I have read thru'
quite some "how tos" but NEVER found the necessity of having THAT certificate
installed in postfix itself?!
Btw. mta-sts.renraku-software.de has a different cert than
(www.)renraku-software.de, does that play a role?
And it is not that the server cert of sonne itself is untrusted:
Feb 21 08:42:06 theater postfix/smtp[553273]: Verified TLS connection
established to sonne.floppy.org[2a01:239:0:be::1]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature
RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits)
client-digest SHA256
Feb 21 08:42:06 theater postfix/smtp[553273]: TLSRPT: status=success,
domain=floppy.org, receiving_mx=sonne.floppy.org[2a01:239:0:be::1]
For floppy.org I have more or less the same mta-sts setup btw, same directive
file, enforce instead of testing. Difference is, the main server cert on sonne
has floppy.org in its name?
So WHERE is my error?
Further, I assume the directive "secure" in the tls policy overrides the
"testing" policy, right?
*IF* I downgrade the tls directive from "secure" to "encrypt"
Feb 21 08:50:56 theater postfix/qmgr[553270]: 257561229F34:
from=<r...@theater.piekert.de>, size=426, nrcpt=2 (queue active)
Feb 21 08:50:56 theater postfix/smtp[560140]: Trusted TLS connection
established to sonne.floppy.org[85.215.122.93]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature
RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits)
client-digest SHA256
Feb 21 08:50:56 theater postfix/smtp[560140]: TLSRPT: status=success,
domain=renraku-software.de, receiving_mx=sonne.floppy.org[85.215.122.93]
It works.
Help anybody?
Florian
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
