On 11/20/2014 01:52 PM, li...@rhsoft.net wrote:
Am 20.11.2014 um 19:47 schrieb Robert Moskowitz:
So I have enabled TLS (though I forgot how I did this!) for
sending/receiving mail. It ONLY took me a year from when I started
working on this migration to finally pulling it off.
ANd of course, being on the cheap side, I used self-signed
certificates. Well I see some sites, including dovecot.org rejecting
emails.
Nov 20 10:19:45 z9m9z postfix/lmtp[4040]: 5CF7062110:
to=<dove...@dovecot.org>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=12,
delay=5890, delays=4534/1346/0.01/8.8, dsn=2.0.0, status=sent (250 2.0.0
Ok, id=04061-01-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
8602A600B7)
Nov 20 10:19:46 z9m9z postfix/smtp[4090]: certificate verification
failed for dovecot.org[137.117.229.219]:25: self-signed certificate
Lovely, lovely. I CAN understand this. Afterall, secure communications
is my day job. But I don't like it. Does only accepting well-rooted
certs matter for server performance? Are there really DOS attacks
occuring on sites that accept self-signed certs (this listserver does
not seem to be using TLS)?
So now I either turn off TLS for MTA-MTA communications, or I find a
decent CA to get a cert from and I set it up right.
Do others here use self-signed certs in this way?
what are you talking about?
that above is most likely just a warning for the record
you missed to provide *full logs* for that transaction as well as
"postconf -n" output - postfix don't reject self signed certificates
until somebody decides to configure it that way
I jsut determined that I have not received any messages from dovecot.org
to my new email server. I normally get 10 - 20 emails a day from that
list. I sent a message to the list today to ask about more detailed
reporting to logwatch and here are the maillog messages you asked for:
Nov 20 10:19:37 z9m9z amavis[4061]: (04061-01-12) LMTP::10024
/var/spool/amavisd/tmp/amavis-20141120T101739-04061:
<r...@htt-consult.com> -> <dove...@dovecot.org> SIZE=4010 Received: from
z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com
[127.0.0.1]) (amavisd-new, port 10024) with LMTP for
<dove...@dovecot.org>; Thu, 20 Nov 2014 10:19:37 -0500 (EST)
Nov 20 10:19:37 z9m9z amavis[4061]: (04061-01-12) Checking: mvxDjgVVZpL6
MYNETS [208.83.67.156] <r...@htt-consult.com> -> <dove...@dovecot.org>
Nov 20 10:19:45 z9m9z amavis[4061]: (04061-01-12) FWD via SMTP:
<r...@htt-consult.com> -> <dove...@dovecot.org>,BODY=7BIT 250 2.0.0 Ok,
id=04061-01-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
8602A600B7
Nov 20 10:19:45 z9m9z amavis[4061]: (04061-01-12) Passed CLEAN, MYNETS
LOCAL [208.83.67.156] [208.83.67.156] <r...@htt-consult.com> ->
<dove...@dovecot.org>, Message-ID: <546def8a.1080...@htt-consult.com>,
mail_id: mvxDjgVVZpL6, Hits: -2.91, size: 4010, queued_as: 8602A600B7,
8739 ms
Nov 20 10:19:45 z9m9z postfix/lmtp[4040]: 5CF7062110:
to=<dove...@dovecot.org>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=12,
delay=5890, delays=4534/1346/0.01/8.8, dsn=2.0.0, status=sent (250 2.0.0
Ok, id=04061-01-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
8602A600B7)
Nov 20 10:19:46 z9m9z postfix/smtp[4090]: certificate verification
failed for dovecot.org[137.117.229.219]:25: self-signed certificate
Nov 20 10:19:47 z9m9z postfix/smtp[4090]: 8602A600B7:
to=<dove...@dovecot.org>, relay=dovecot.org[137.117.229.219]:25,
delay=2.2, delays=0.09/0.03/1.5/0.52, dsn=2.0.0, status=sent (250 2.0.0
Ok: queued as B57F32347A)
Sure looks like dovecot.org rejected my MTA connection. I doubt when
the requeued message tries again it will go through.
So I decided to look to see if I can see anything coming from
dovecot.org, and maybe them dropping the connection when they get my
self-signed cert. But nothing for incoming connections from
dovecot.org. Would have to increase some sort of logging activity to
discover that.
Of course this means if dovecot.org won't take emails from my MTA, and
it looks like won't send any either, there are probably other sites,
that I can't figure out are also not sending emails now. Without
increasing logging to discover failed connections, and would they even
tell me that they did not like my cert?
