On Tue, Nov 30, 2010 at 02:44:31AM +0000, Mueller, Martin (Messaging) wrote:
> After upgrading from 2.5.x to 2.7.1 mail started queuing up to one
> particular domain (TLS security level: verify) with "Server certificate
> not verified".
Postfix TLS support has not changed noticeably since 2.5.
> Systems still on 2.5.x versions of Postfix transmit messages to that
> domain via enforced TLS just fine. Based on some testing with different
> version it seems that the change in behavior started with 2.6.0.
What's new in 2.6/2.7 is that finally and with good reason SSLv2 and
its associated ciphers are disabled by default.
http://www.postfix.org/postconf.5.html#smtp_tls_protocols
It is also likely that are you are using a more recent version of OpenSSL,
this can be more significant than any minor changes in Postfix.
> The ST part of the CN contains an encoded string sequence of "\xC3\xBC"
> that represents the German u Umlaut.
The "ST" as you say, is not part of the "CN" it is part of the
Distinguished Name or "DN". Parts of the "DN" that are not the CN do
not matter for peer verification.
> We have tons of domains setup for enforced TLS and this is the only one that
> is causing trouble. Warning messages in the log file
> are also tied to asn1 encoding and eventually CN appears with no value in the
> log. Which seems to suggest that the asn 1 encoded
> character is what causes the trouble.
This is almost certainly a Red Herring.
> initializing the client-side TLS engine
> setting up TLS connection to mx2.mlp-ag.com[195.170.185.78]:25
> mx2.mlp-ag.com[195.170.185.78]:25: TLS cipher list
> "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL"
Your TLS log level is a bit too verbose.
> Nov 29 22:14:24 server postfix/smtp[6740]: warning: TLS library problem:
> 6740:error:0D07A0A0:asn1 encoding routines:ASN1_mbstring_copy:unknown
> format:a_mbstr.c:142:
Harmless noise unless you have peername verification turned on. What is
the configured TLS security level?
> Nov 29 22:14:24 server postfix/smtp[6740]: Trusted TLS connection established
> to mx2.mlp-ag.com[195.170.185.78]:25: TLSv1 with cipher DHE-RSA-AES256-SHA
> (256/256 bits)
The TLS handshake completes.
> Nov 29 22:14:24 server postfix/smtp[6740]: 193A714002: Server certificate not
> verified
But you appear to have peername verification turned on. What is your
tls security level for this destination?
When testing with Postfix 2.7 compiled against OpenSSL 1.0.0a and also
1.0.0b with two patches from the upcoming 1.0.0c (due any day now)
everything is normal. Your OpenSSL is perhaps less fortuitously selected
than mine.
smtp-finger: Connected to mx2.mlp-ag.com[195.170.185.78]:25
smtp-finger: < 220 mx2.mlp-ag.com ESMTP
smtp-finger: > EHLO amnesiac.example.com
smtp-finger: < 250-mx2.mlp-ag.com
smtp-finger: < 250-8BITMIME
smtp-finger: < 250-SIZE 104857600
smtp-finger: < 250 STARTTLS
smtp-finger: > STARTTLS
smtp-finger: < 220 Go ahead with TLS
smtp-finger: mx2.mlp-ag.com[195.170.185.78]:25 Matched CommonName mx2.mlp-ag.com
smtp-finger: mx2.mlp-ag.com[195.170.185.78]:25: Matched
subject_CN=mx2.mlp-ag.com, issuer_CN=VeriSign Class 3 Extended Validation SSL
SGC CA
smtp-finger: mx2.mlp-ag.com[195.170.185.78]:25 sha1 fingerprint
90:9A:37:16:7B:DB:5E:D4:0D:72:2F:E4:AA:38:4C:5C:9A:12:59:21
smtp-finger: Verified TLS connection established to
mx2.mlp-ag.com[195.170.185.78]:25: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
---
Certificate chain
0
s:/1.3.6.1.4.1.311.60.2.1.3=DE/1.3.6.1.4.1.311.60.2.1.1=Mannheim/businessCategory=V1.0,
Clause 5.(b)/serialNumber=HRB
335755/C=DE/postalCode=69168/ST=Baden-W\xC3\xBCrttemberg/L=Wiesloch/street=Alte
Heerstrasse 40
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL
SGC CA
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5c:15:d9:5e:08:43:61:e7:6e:40:76:e5:a3:cd:7b:bc
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of
use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended
Validation SSL SGC CA
Validity
Not Before: Jul 1 00:00:00 2010 GMT
Not After : Jul 1 23:59:59 2011 GMT
Subject:
1.3.6.1.4.1.311.60.2.1.3=DE/1.3.6.1.4.1.311.60.2.1.1=Mannheim/businessCategory=V1.0,
Clause 5.(b)/serialNumber=HRB 335755, C=DE/postalCode=69168,
ST=Baden-W\xC3\xBCrttemberg, L=Wiesloch/street=Alte Heerstrasse 40, O=MLP
Finanzdienstleistungen Aktiengesellschaft, OU=e-Services, CN=mx2.mlp-ag.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ba:9e:2d:b9:ea:23:90:d5:a1:28:71:d3:cf:a8:
e5:4b:d0:da:2a:00:c4:21:40:8d:77:43:b8:df:73:
49:f9:d2:e8:ae:85:43:74:e1:aa:e2:53:8c:4b:54:
41:0f:b7:62:85:8b:3d:ad:e6:5c:ca:f7:f8:af:4d:
46:af:31:81:44:ed:b3:37:16:35:44:14:3e:eb:3c:
21:8c:05:59:49:b0:23:bc:19:6e:d8:e8:f5:82:25:
f2:58:fa:78:b5:a7:87:2c:14:b9:14:4a:f4:75:e8:
bb:7c:57:7c:22:32:06:c4:f8:7b:e6:76:5e:f2:7e:
28:45:7e:23:3f:e1:a3:34:bb:e1:05:5f:dc:7e:58:
fb:95:2d:89:56:04:ba:0b:8b:69:f3:bf:0f:df:26:
b0:f0:c9:dc:ba:bf:6c:9b:01:5b:06:e0:e6:ca:57:
2a:5e:cb:0e:89:65:1f:34:2b:9e:c7:a6:5e:e1:da:
07:4c:e3:e3:7a:21:f3:f1:dc:4b:ec:8a:3c:97:d9:
29:02:12:08:33:f0:9b:3b:8f:e4:42:5a:27:32:8b:
7e:f7:22:af:8f:c5:63:c3:2d:6a:7d:70:ea:4a:0d:
df:de:e1:ab:d9:d6:b7:a2:19:7a:b5:40:21:3a:3e:
87:b6:46:7a:c9:8d:2f:40:fd:bf:f8:ee:8b:99:d6:
ac:89
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
8C:E7:65:2D:D0:DB:83:6F:FA:95:97:35:79:78:E9:7D:1A:30:99:05
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.6
CPS: https://www.verisign.com/rpa
X509v3 CRL Distribution Points:
Full Name:
URI:http://EVIntl-crl.verisign.com/EVIntl2006.crl
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication,
Netscape Server Gated Crypto
X509v3 Authority Key Identifier:
keyid:4E:43:C8:1D:76:EF:37:53:7A:4F:F2:58:6F:94:F3:38:E2:D5:BD:DF
Authority Information Access:
OCSP - URI:http://EVIntl-ocsp.verisign.com
CA Issuers - URI:http://EVIntl-aia.verisign.com/EVIntl2006.cer
1.3.6.1.5.5.7.1.12:
0`.^.\0Z0X0V..image/gif0!0.0...+......Kk.(.....R8.).K..!..0&.$http://logo.verisign.com/vslogo1.gif
Signature Algorithm: sha1WithRSAEncryption
68:f8:61:fd:c6:d4:18:05:b8:5c:7f:85:31:10:a6:e4:c9:be:
53:60:2d:8c:89:60:90:89:d6:c2:3d:33:c9:3a:eb:55:e8:e0:
e3:11:94:d9:30:8a:8c:c6:35:9c:22:6b:32:a1:64:29:4a:21:
fa:81:92:0a:9b:f8:a5:cb:09:0d:0b:72:86:b7:e7:7e:34:7d:
99:4b:2f:08:8d:9c:6b:19:1a:00:3d:01:ce:21:a4:c5:51:bd:
5b:fe:eb:a6:92:28:8e:df:1f:80:36:c5:02:b1:00:55:46:d7:
6b:0f:10:68:52:b0:ae:30:c2:db:0b:c3:08:60:1f:1b:e7:77:
9e:a2:fa:aa:10:ff:b0:74:91:18:08:03:47:1c:64:99:52:ed:
da:d9:19:b9:a3:2a:46:19:c4:e8:3f:71:25:d8:4e:c4:ef:bd:
c6:16:65:bf:ac:0e:5e:87:7c:3e:4e:21:c6:7d:47:f0:f4:2f:
e1:75:95:63:0e:44:5e:ce:ca:80:06:6a:5b:0e:78:ab:f7:8b:
cf:f5:1c:3b:f1:7b:9e:5a:c4:ca:ef:c2:8e:2d:b1:b7:0c:f5:
cd:1e:83:7f:b8:9c:f8:74:8c:de:4b:01:cb:30:aa:99:3f:c8:
69:1d:67:ea:c3:da:0f:b5:94:29:3d:b6:d7:11:56:20:83:f1:
fc:b4:26:c4
-----BEGIN CERTIFICATE-----
MIIGdDCCBVygAwIBAgIQXBXZXghDYeduQHblo817vDANBgkqhkiG9w0BAQUFADCB
vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew
HhcNMTAwNzAxMDAwMDAwWhcNMTEwNzAxMjM1OTU5WjCCATMxEzARBgsrBgEEAYI3
PAIBAxMCREUxGTAXBgsrBgEEAYI3PAIBAQwITWFubmhlaW0xGzAZBgNVBA8TElYx
LjAsIENsYXVzZSA1LihiKTETMBEGA1UEBRMKSFJCIDMzNTc1NTELMAkGA1UEBhMC
REUxDjAMBgNVBBEUBTY5MTY4MRswGQYDVQQIDBJCYWRlbi1Xw7xydHRlbWJlcmcx
ETAPBgNVBAcMCFdpZXNsb2NoMRwwGgYDVQQJDBNBbHRlIEhlZXJzdHJhc3NlIDQw
MTYwNAYDVQQKDC1NTFAgRmluYW56ZGllbnN0bGVpc3R1bmdlbiBBa3RpZW5nZXNl
bGxzY2hhZnQxEzARBgNVBAsMCmUtU2VydmljZXMxFzAVBgNVBAMMDm14Mi5tbHAt
YWcuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAup4tueojkNWh
KHHTz6jlS9DaKgDEIUCNd0O433NJ+dLoroVDdOGq4lOMS1RBD7dihYs9reZcyvf4
r01GrzGBRO2zNxY1RBQ+6zwhjAVZSbAjvBlu2Oj1giXyWPp4taeHLBS5FEr0dei7
fFd8IjIGxPh75nZe8n4oRX4jP+GjNLvhBV/cflj7lS2JVgS6C4tp878P3yaw8Mnc
ur9smwFbBuDmylcqXssOiWUfNCuex6Ze4doHTOPjeiHz8dxL7Io8l9kpAhIIM/Cb
O4/kQlonMot+9yKvj8Vjwy1qfXDqSg3f3uGr2da3ohl6tUAhOj6HtkZ6yY0vQP2/
+O6LmdasiQIDAQABo4IB9DCCAfAwCQYDVR0TBAIwADAdBgNVHQ4EFgQUjOdlLdDb
g2/6lZc1eXjpfRowmQUwCwYDVR0PBAQDAgWgMEQGA1UdIAQ9MDswOQYLYIZIAYb4
RQEHFwYwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3Jw
YTA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vRVZJbnRsLWNybC52ZXJpc2lnbi5j
b20vRVZJbnRsMjAwNi5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUFBwMC
BglghkgBhvhCBAEwHwYDVR0jBBgwFoAUTkPIHXbvN1N6T/JYb5TzOOLVvd8wdgYI
KwYBBQUHAQEEajBoMCsGCCsGAQUFBzABhh9odHRwOi8vRVZJbnRsLW9jc3AudmVy
aXNpZ24uY29tMDkGCCsGAQUFBzAChi1odHRwOi8vRVZJbnRsLWFpYS52ZXJpc2ln
bi5jb20vRVZJbnRsMjAwNi5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJ
aW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYk
aHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEB
BQUAA4IBAQBo+GH9xtQYBbhcf4UxEKbkyb5TYC2MiWCQidbCPTPJOutV6ODjEZTZ
MIqMxjWcImsyoWQpSiH6gZIKm/ilywkNC3KGt+d+NH2ZSy8IjZxrGRoAPQHOIaTF
Ub1b/uumkiiO3x+ANsUCsQBVRtdrDxBoUrCuMMLbC8MIYB8b53eeovqqEP+wdJEY
CANHHGSZUu3a2Rm5oypGGcToP3El2E7E773GFmW/rA5eh3w+TiHGfUfw9C/hdZVj
DkRezsqABmpbDnir94vP9Rw78XueWsTK78KOLbG3DPXNHoN/uJz4dIzeSwHLMKqZ
P8hpHWfqw9oPtZQpPbbXEVYgg/H8tCbE
-----END CERTIFICATE-----
--
Viktor.
