Hi,
On postfix 2.5.7 running on Red Hat Enterprise Linux AS release 4 (Nahant Update 8) I've
got the following error message:
Dec 15 12:09:56 lin2a postfix/smtpd[14097]: connect from 85-18-95-44.ip.fastwebnet.it[85.18.95.44]
Dec 15 12:09:56 lin2a postfix/smtpd[14097]: setting up TLS connection from 85-18-95-44.ip.fastwebnet.it[85.18.95.44]
Dec 15 12:09:57 lin2a postfix/smtpd[14097]: SSL_accept error from 85-18-95-44.ip.fastwebnet.it[85.18.95.44]: 0
Dec 15 12:09:57 lin2a postfix/smtpd[14097]: warning: TLS library problem:
14097:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1052:SSL alert number 48:
Dec 15 12:09:57 lin2a postfix/smtpd[14097]: lost connection after STARTTLS from 85-18-95-44.ip.fastwebnet.it[85.18.95.44]
Dec 15 12:09:57 lin2a postfix/smtpd[14097]: disconnect from 85-18-95-44.ip.fastwebnet.it[85.18.95.44]
in main.cf there are the following lines concerning TLS
smtp_tls_CAfile =
smtp_tls_CApath = /etc/postfix/secure
smtp_tls_cert_file =
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_fingerprint_digest = md5
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps =
mysql:/etc/postfix/SQL/mysql_tls_policy.cf
hash:/etc/postfix/tls_policy
smtp_tls_scert_verifydepth = 9
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level = may
smtp_tls_session_cache_database =
btree:/var/lib/postfix/smtp_tls_session_cache
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
smtpd_tls_auth_only = no
smtpd_tls_ask_ccert = no
smtpd_tls_CAfile = /etc/postfix/secure/UTNAddTrustSGCCA.pem
smtpd_tls_CApath = /etc/postfix/secure
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /etc/postfix/secure/dns1_rupar_puglia_it.pem
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file = /etc/postfix/secure/dns1-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_tls_session_cache_timeout = 3600s
I've put into /etc/postfix/secure the CA cerificate of the peer and I've c_rehash(ed) the
directory.
With OpenSSL (simulating the opposite flow) I have the following:
[sche...@lin2a ~]$ openssl s_client -connect 85.18.95.45:25 -starttls smtp -CApath
/etc/postfix/secure
CONNECTED(00000003)
depth=1 /C=IT/ST=Italy/L=Milan/O=Fastweb S.p.A./OU=Webfarm/CN=CA Fastweb
verify return:1
depth=0 /C=IT/ST=Milano/L=Milano/O=FASTWEB SPA/OU=aa002pec.smtpout.fastweb-
pec.it/CN=smtpout.fastweb-pec.it
verify return:1
---
Certificate chain
0 s:/C=IT/ST=Milano/L=Milano/O=FASTWEB SPA/OU=aa002pec.smtpout.fastweb-
pec.it/CN=smtpout.fastweb-pec.it
i:/C=IT/ST=Italy/L=Milan/O=Fastweb S.p.A./OU=Webfarm/CN=CA Fastweb
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICbTCCAdYCASMwDQYJKoZIhvcNAQEEBQAwbTELMAkGA1UEBhMCSVQxDjAMBgNV
...
...
kw==
-----END CERTIFICATE-----
subject=/C=IT/ST=Milano/L=Milano/O=FASTWEB SPA/OU=aa002pec.smtpout.fastweb-
pec.it/CN=smtpout.fastweb-pec.it
issuer=/C=IT/ST=Italy/L=Milan/O=Fastweb S.p.A./OU=Webfarm/CN=CA Fastweb
---
No client certificate CA names sent
---
SSL handshake has read 838 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: F1ED284BAAC70300000000000000000500007274
Session-ID-ctx:
Master-Key:
3F013FE9BD284D51F0B000AF460B7342272594E6CBF16579B67C4C14EA8AC14BF7A7B
FD8ED35FAB6E3C967756303FE50
Key-Arg : None
Krb5 Principal: None
Start Time: 1260973553
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
220 smtpout.fastweb-pec.it ESMTP Service ready
It seems that the certificate is good and the handshake ends with success.
The OpenSSL version is
OpenSSL> version
OpenSSL 0.9.7a Feb 19 2003
OpenSSL>
discarding EHLO keywords selectively (STARTTLS) with
smtpd_discard_ehlo_keyword_address_maps
is NOT a possible solution in this specific context.
Any idea?
Best Regards,
Pietro Romanazzi
InnovaPuglia S.p.a
Centro Tecnico RUPAR Puglia
