Hello there. I recently just placed a new certificate into my postfix server. It is a wildcard certificate. The server's name is not covered by the wildcard common name, but it is covered by a subject alternative name in the cert. I have two versions of the same cert installed, one on a postfix server, one on a Microsoft Exchange system. I am using another postfix server to make the test connection. The certs are similar, same common name. However they have different keys, and the subject alternate names of the certs are different on the two servers.
When I connect to the Exchange server using my postfix client server, I see this: Apr 19 20:15:08 mx2 postfix/smtp[31124]: setting up TLS connection to mail.wsc.ma.edu[207.159.171.178]:25 Apr 19 20:15:08 mx2 postfix/smtp[31124]: mail.wsc.ma.edu[207.159.171.178]:25: TLS cipher list "ALL:+RC4:@STRENGTH" Apr 19 20:15:08 mx2 postfix/smtp[31124]: SSL_connect:before/connect initialization Apr 19 20:15:08 mx2 postfix/smtp[31124]: SSL_connect:SSLv2/v3 write client hello A Apr 19 20:15:08 mx2 postfix/smtp[31124]: SSL_connect:SSLv3 read server hello A Apr 19 20:15:08 mx2 postfix/smtp[31124]: mail.wsc.ma.edu[207.159.171.178]:25: certificate verification depth=2 verify=1 subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA Apr 19 20:15:08 mx2 postfix/smtp[31124]: mail.wsc.ma.edu[207.159.171.178]:25: certificate verification depth=1 verify=1 subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 Apr 19 20:15:08 mx2 postfix/smtp[31124]: mail.wsc.ma.edu[207.159.171.178]:25: certificate verification depth=0 verify=1 subject=/C=US/ST=MA/L=Westfield/O=Westfield State University/OU=Information Technology/CN=*.ma.edu Apr 19 20:15:08 mx2 postfix/smtp[31124]: SSL_connect:SSLv3 read server certificate A Apr 19 20:15:08 mx2 postfix/smtp[31124]: SSL_connect:SSLv3 read server done A Apr 19 20:15:08 mx2 postfix/smtp[31124]: SSL_connect:SSLv3 write client key exchange A Apr 19 20:15:08 mx2 postfix/smtp[31124]: SSL_connect:SSLv3 write change cipher spec A Apr 19 20:15:08 mx2 postfix/smtp[31124]: SSL_connect:SSLv3 write finished A Apr 19 20:15:08 mx2 postfix/smtp[31124]: SSL_connect:SSLv3 flush data Apr 19 20:15:08 mx2 postfix/smtp[31124]: SSL_connect:SSLv3 read finished A Apr 19 20:15:08 mx2 postfix/smtp[31124]: Trusted TLS connection established to mail.wsc.ma.edu[207.159.171.178]:25: TLSv1 with cipher RC4-MD5 (128/128 bits) However when I connect to my other postfix server I get this: Apr 19 20:19:18 mx2 postfix/smtp[31125]: setting up TLS connection to mx1.wsc.ma.edu[207.159.171.123]:25 Apr 19 20:19:18 mx2 postfix/smtp[31125]: mx1.wsc.ma.edu[207.159.171.123]:25: TLS cipher list "ALL:+RC4:@STRENGTH" Apr 19 20:19:18 mx2 postfix/smtp[31125]: SSL_connect:before/connect initialization Apr 19 20:19:18 mx2 postfix/smtp[31125]: SSL_connect:SSLv2/v3 write client hello A Apr 19 20:19:18 mx2 postfix/smtp[31125]: SSL_connect:SSLv3 read server hello A Apr 19 20:19:18 mx2 postfix/smtp[31125]: SSL_connect:SSLv3 read server key exchange A Apr 19 20:19:18 mx2 postfix/smtp[31125]: SSL_connect:SSLv3 read server done A Apr 19 20:19:18 mx2 postfix/smtp[31125]: SSL_connect:SSLv3 write client key exchange A Apr 19 20:19:18 mx2 postfix/smtp[31125]: SSL_connect:SSLv3 write change cipher spec A Apr 19 20:19:18 mx2 postfix/smtp[31125]: SSL_connect:SSLv3 write finished A Apr 19 20:19:18 mx2 postfix/smtp[31125]: SSL_connect:SSLv3 flush data Apr 19 20:19:18 mx2 postfix/smtp[31125]: SSL_connect:SSLv3 read finished A Apr 19 20:19:18 mx2 postfix/smtp[31125]: Untrusted TLS connection established to mx1.wsc.ma.edu[207.159.171.123]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Trying to figure out why I'm getting untrusted when going from postfix to postfix but not from postfix to Microsoft. The difference I see is SSL_connect:SSLv3 read server certificate A, and on the second Apr 19 20:19:18 mx2 postfix/smtp[31125]: SSL_connect:SSLv3 read server key exchange A. Is there possibly something configured wrong in the TLS settings on either the client or server that's causing this not to verify properly? I know the certificate chain is fine because when I connect using the openssl s_client everything verifies fine on the certificate... Any thoughts as to why the different behavior? Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University (413) 572-8245 Red Hat Certified Technician (RHCT) Cisco Certified Network Associate (CCNA)
