Thanks for the detailed explanation Victor.
I really appreciate both your confirming my submission cert is now
correctly configured, and for taking the time to 'teach me to fish'
rather than just giving me one... ;)
I believe that if I study this reply, and maybe go back and re-read the
postfix docs a few times afterwards, I may actually gain a reasonable if
not rudimentary understanding of how these pieces fit together.
Hope you're having a great holiday weekend!
Charles
On 4/19/2014 12:36 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
On Sat, Apr 19, 2014 at 07:06:31AM -0400, Charles Marcus wrote:
I hate to keep imposing on you, but since I don't have the postfinger tool,
Your submission service configuration is now correct. In each pair
of lines the "issuer" is the name of the certification authority
that signed the certificate and the "subject" is the certified name
of the owner of the public key in the certificate.
subject=/serialNumber=7XqE1Qv/zhjR5gwi8OBh94adXjYVaaDs/OU=GT32586886/OU=See
www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated -
RapidSSL(R)/CN=smtp.media-brokers.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
subject=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
In a well-formed chain (such as above), the subject in each pair
of lines after the first is the same as the issuer in the previous
pair lines.
If you don't have posttls-finger, for the purpose of examining the
peer certificate chain you get functionally equivalent output from:
(sleep 2; echo QUIT) |
openssl s_client -starttls smtp -showcerts \
-connect smtp.media-brokers.com:587 2>/dev/null | ...
In other words:
(sleep 2; echo QUIT) |
openssl s_client -starttls smtp -showcerts \
-connect smtp.media-brokers.com:587 2>/dev/null |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -print_certs -noout
The last two commands in the pipeline convert a sequence of PEM
certificates to PKCS#7 format for the sole purpose of printing the
subject and issuer of each one (without printing the actual
certificate content). This PKCS#7 conversion is a work-around for
the absense of a multi-certificate input loop option in the x509(1)
sub-command of openssl(1), which currently will only print the
first certificate in the input file.
Note that since you have the complete chain in a file, you don't
have to connect to the server over the network with either
posttls-finger(1) or s_client(1). Rather you can simply run:
chainfile=/some/where/chain-filename.pem
openssl crl2pkcs7 -nocrl -certfile "${chainfile}" |
openssl pkcs7 -print_certs -noout
Therefore, for any other software whose configuration supports
loading a PEM chain file (consult the documentation), you can verify
the correctness of the chain file locally.
For even more detail, you can append "-text" after the "-noout"
option, and see a fully decoded verbose output of each certificate
showing validity dates, and various X.509 extensions including any
"subject alternative names" you might expect in the leaf certificate
and subject and authority key identifiers that link the issuer and
subject more precisely than just the names in the concise output.
--
Best regards,
Charles Marcus
I.T. Director
Media Brokers International, Inc.
678.514.6224 | 678.514.6299 fax
