Viktor Dukhovni wrote the following on 05/02/14 20:44:
On Wed, Feb 05, 2014 at 08:28:51PM +0000, Alan Munday wrote:
Viktor Dukhovni wrote the following on 05/02/14 18:45:
On Wed, Feb 05, 2014 at 05:07:27PM +0000, Alan Munday wrote:
Feb 5 16:01:21 mx1 postfix/smtpd[22789]:
Anonymous TLS connection established
from mail-db3lp0084.outbound.protection.outlook.com[213.199.154.84]:
TLSv1 with cipher AES128-SHA (128/128 bits)
Feb 5 16:01:21 mx1 postfix/smtpd[22789]:
lost connection after EHLO
from mail-db3lp0084.outbound.protection.outlook.com[213.199.154.84]
Your certificate chain on mx1 is somewhat unusual, the issuer CA
certificate has "CA:FALSE" in basic constraints:
And re-creating the certificates with CA:TRUE in the [ usr_cert ]
section of openssl.cnf appears to resolve the problem.
Now for the record your leaf certificate is also a CA, which is
harmless I imagine, but keep that in mind if you run into problems
with some other nitpicky implementation.
You're probably better off with just a self-signed cert with CA:FALSE
and no issuer CA. (Basically your original issuer CA was a perfectly
good leaf server certificate).
I'm looking at this now... and this is just my ignorance with TLS and
having done the original configuration many years ago.
In main.cf I have:
smtpd_tls_key_file = /etc/postfix/server.key.pem
smtpd_tls_cert_file = /etc/postfix/server.cert.pem
smtpd_tls_CAfile = /etc/postfix/CAcert.pem
And when I verify with openssl reports OK.
[root@mx1 postfix]# openssl verify -CAfile /etc/postfix/CAcert.pem
/etc/postfix/server.cert.pem
/etc/postfix/server.cert.pem: OK
server.cert.pem is actually a link to /etc/postfix/mx1 but that also
verifies OK.
[root@mx1 postfix]# openssl verify -CAfile /etc/postfix/CAcert.pem
/etc/postfix/mx1.cert.pem
/etc/postfix/mx1.cert.pem: OK
Rather than tie up peoples time is there a reference I can go to and
I'll work through things from scratch.
Thanks
Alan
