Hello, After upgrading from 2.5.x to 2.7.1 mail started queuing up to one particular domain (TLS security level: verify) with "Server certificate not verified". Systems still on 2.5.x versions of Postfix transmit messages to that domain via enforced TLS just fine. Based on some testing with different version it seems that the change in behavior started with 2.6.0.
The ST part of the CN contains an encoded string sequence of "\xC3\xBC" that represents the German u Umlaut. We have tons of domains setup for enforced TLS and this is the only one that is causing trouble. Warning messages in the log file are also tied to asn1 encoding and eventually CN appears with no value in the log. Which seems to suggest that the asn 1 encoded character is what causes the trouble. Some log information below. Regards, Martin Nov 29 22:14:23 server postfix/smtp[6740]: initializing the client-side TLS engine Nov 29 22:14:24 server postfix/smtp[6740]: setting up TLS connection to mx2.mlp-ag.com[195.170.185.78]:25 Nov 29 22:14:24 server postfix/smtp[6740]: mx2.mlp-ag.com[195.170.185.78]:25: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL" Nov 29 22:14:24 server postfix/smtp[6740]: looking for session smtp:195.170.185.78:25:mx2.mlp-ag.com&p=1&c=ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL in smtp cache Nov 29 22:14:24 server postfix/smtp[6740]: mx2.mlp-ag.com[195.170.185.78]:25: certificate verification depth=3 verify=1 subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority Nov 29 22:14:24 server postfix/smtp[6740]: mx2.mlp-ag.com[195.170.185.78]:25: certificate verification depth=2 verify=1 subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 Nov 29 22:14:24 server postfix/smtp[6740]: mx2.mlp-ag.com[195.170.185.78]:25: certificate verification depth=1 verify=1 subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA Nov 29 22:14:24 server postfix/smtp[6740]: mx2.mlp-ag.com[195.170.185.78]:25: certificate verification depth=0 verify=1 subject=/1.3.6.1.4.1.311.60.2.1.3=DE/1.3.6.1.4.1.311.60.2.1.1=Mannheim/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=HRB 335755/C=DE/2.5.4.17=69168/ST=Baden-W\xC3\xBCrttemberg/L=Wiesloch/2.5.4.9=Alte Heerstrasse 40/O=MLP Finanzdienstleistungen Aktiengesellschaft Nov 29 22:14:24 server postfix/smtp[6740]: SSL_connect:SSLv3 read finished A Nov 29 22:14:24 server postfix/smtp[6740]: save session smtp:195.170.185.78:25:mx2.mlp-ag.com&p=1&c=ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL to smtp cache Nov 29 22:14:24 server postfix/smtp[6740]: warning: tls_text_name: mx2.mlp-ag.com[195.170.185.78]:25: error decoding peer subject CN of ASN.1 type=12 Nov 29 22:14:24 server postfix/smtp[6740]: warning: TLS library problem: 6740:error:0D07A0A0:asn1 encoding routines:ASN1_mbstring_copy:unknown format:a_mbstr.c:142: Nov 29 22:14:24 server postfix/smtp[6740]: mx2.mlp-ag.com[195.170.185.78]:25: Trusted subject_CN=, issuer_CN=VeriSign Class 3 Extended Validation SSL SGC CA Nov 29 22:14:24 server postfix/smtp[6740]: Trusted TLS connection established to mx2.mlp-ag.com[195.170.185.78]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Nov 29 22:14:24 server postfix/smtp[6740]: 193A714002: Server certificate not verified Nov 29 22:14:25 server postfix/smtp[6740]: setting up TLS connection to mx1.mlp-ag.com[195.170.185.77]:25 Nov 29 22:14:25 server postfix/smtp[6740]: mx1.mlp-ag.com[195.170.185.77]:25: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL" Nov 29 22:14:25 server postfix/smtp[6740]: looking for session smtp:195.170.185.77:25:mx1.mlp-ag.com&p=1&c=ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL in smtp cache Nov 29 22:14:25 server postfix/smtp[6740]: SSL_connect:before/connect initialization Nov 29 22:14:25 server postfix/smtp[6740]: mx1.mlp-ag.com[195.170.185.77]:25: certificate verification depth=3 verify=1 subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority Nov 29 22:14:25 server postfix/smtp[6740]: mx1.mlp-ag.com[195.170.185.77]:25: certificate verification depth=2 verify=1 subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 Nov 29 22:14:25 server postfix/smtp[6740]: mx1.mlp-ag.com[195.170.185.77]:25: certificate verification depth=1 verify=1 subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA Nov 29 22:14:25 server postfix/smtp[6740]: mx1.mlp-ag.com[195.170.185.77]:25: certificate verification depth=0 verify=1 subject=/1.3.6.1.4.1.311.60.2.1.3=DE/1.3.6.1.4.1.311.60.2.1.1=Mannheim/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=HRB 335755/C=DE/2.5.4.17=69168/ST=Baden-W\xC3\xBCrttemberg/L=Wiesloch/2.5.4.9=Alte Heerstrasse 40/O=MLP Finanzdienstleistungen Aktiengesellschaft Nov 29 22:14:25 server postfix/smtp[6740]: SSL_connect:SSLv3 read server certificate A Nov 29 22:14:25 server postfix/smtp[6740]: SSL_connect:SSLv3 read finished A Nov 29 22:14:25 server postfix/smtp[6740]: save session smtp:195.170.185.77:25:mx1.mlp-ag.com&p=1&c=ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL to smtp cache Nov 29 22:14:25 server postfix/smtp[6740]: warning: tls_text_name: mx1.mlp-ag.com[195.170.185.77]:25: error decoding peer subject CN of ASN.1 type=12 Nov 29 22:14:25 server postfix/smtp[6740]: warning: TLS library problem: 6740:error:0D07A0A0:asn1 encoding routines:ASN1_mbstring_copy:unknown format:a_mbstr.c:142: Nov 29 22:14:25 server postfix/smtp[6740]: mx1.mlp-ag.com[195.170.185.77]:25: Trusted subject_CN=, issuer_CN=VeriSign Class 3 Extended Validation SSL SGC CA Nov 29 22:14:25 server postfix/smtp[6740]: Trusted TLS connection established to mx1.mlp-ag.com[195.170.185.77]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Nov 29 22:14:25 server postfix/smtp[6740]: 193A714002: to=<nob...@mlp.de>, relay=mx1.mlp-ag.com[195.170.185.77]:25, delay=226, delays=173/50/2.4/0, dsn=4.7.5, status=deferred (Server certificate not verified)
