On Fri, Feb 21, 2025 at 08:51:47AM +0100, Florian Piekert via Postfix-users
wrote:
> testmail to e.g.postmas...@renraku-software.de delivers:
>
> MX 2 is the example sending host itself.
> Feb 21 08:19:20 theater postfix/local[536980]: 257561229F34:
> to=<administra...@theater.piekert.de>, relay=local, delay=1.6,
> delays=1.6/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
> Feb 21 08:19:20 theater postfix/smtp[538381]: server certificate verification
> failed for sonne.floppy.org[85.215.122.93]:25: num=62:hostname mismatch
renraku-software.de. IN MX 5 sonne.floppy.org.
renraku-software.de. IN MX 10 butterfly.post-peine.de.
renraku-software.de. IN MX 20 theater.piekert.de.
$ posttls-finger -F/etc/pki/tls/cert.pem -c -lsecure "[theater.piekert.de]"
posttls-finger: theater.piekert.de[81.169.233.252]:25: matched peername:
*.piekert.de
posttls-finger: theater.piekert.de[81.169.233.252]:25:
subject_CN=*.piekert.de, issuer=Sectigo RSA Domain Validation Secure Server CA,
cert
fingerprint=2F:05:11:73:38:40:58:7D:E8:D2:0A:40:C8:EB:58:F9:59:7E:7F:DF:6A:61:3E:3B:77:B6:8F:44:4B:BE:96:95,
pkey
fingerprint=10:31:DB:29:D8:57:4C:A3:B2:46:AF:BB:88:27:6C:C6:F9:6B:49:C1:D9:FC:B9:C8:A9:5C:93:6A:6D:EA:19:B6
posttls-finger: Verified TLS connection established to
theater.piekert.de[81.169.233.252]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature
RSA-PSS (2048 bits) server-digest SHA256
$ posttls-finger -F/etc/pki/tls/cert.pem -c -lsecure "[sonne.floppy.org]"
posttls-finger: sonne.floppy.org[85.215.122.93]:25: matched peername:
sonne.floppy.org
posttls-finger: sonne.floppy.org[85.215.122.93]:25:
subject_CN=sonne.floppy.org, issuer=R11, cert
fingerprint=40:7F:4E:8E:26:49:90:08:77:D3:2B:3D:4D:DB:C9:9E:B3:3D:D0:56:6E:0D:3D:BA:33:34:0A:EF:DC:4B:78:55,
pkey
fingerprint=E5:D8:02:2C:85:5B:22:5A:E3:D1:B0:CA:B8:5C:22:C2:94:A6:7D:D2:40:D9:93:29:60:29:3E:71:CD:DE:FF:E2
posttls-finger: Verified TLS connection established to
sonne.floppy.org[85.215.122.93]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits) key-exchange x25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
Do you have the requisite issuers in $smtp_tls_CAfile and/or $smtp_tls_CApath?
What TLS policy is returned to Postfix by your MTA-STS plugin?
> So it comes down to
> num=62:hostname mismatch
Likely the policy you're using isn't actually setting up the correct
name(s) to match.
> Now that is the main issue for me, what hostname is EXPECTED *in the cert*?!
The MX hostname.
> Further, I assume the directive "secure" in the tls policy overrides
> the "testing" policy, right?
Postfix has no built-in MTA-STS support, so there's nothing to
"override". If you're using a dynamic TLS policy table, with some
service returning results via a socketmap, then the policy is whatever
that service returns.
> *IF* I downgrade the tls directive from "secure" to "encrypt"
> Feb 21 08:50:56 theater postfix/qmgr[553270]: 257561229F34:
> from=<r...@theater.piekert.de>, size=426, nrcpt=2 (queue active)
> Feb 21 08:50:56 theater postfix/smtp[560140]: Trusted TLS connection
> established to sonne.floppy.org[85.215.122.93]:25: TLSv1.3 with cipher
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature
> RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits)
> client-digest SHA256
> Feb 21 08:50:56 theater postfix/smtp[560140]: TLSRPT: status=success,
> domain=renraku-software.de, receiving_mx=sonne.floppy.org[85.215.122.93]
The "secure" policy is NOT MTA-STS.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
