On Fri, Nov 21, 2014 at 01:42:55PM -0500, Deeztek Support wrote:
>
> >Certificate chain
> > 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
> > i:/C=US/O=Google Inc/CN=Google Internet Authority G2
> > 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
> > i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> > 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> >
> >Do you have the root certificate?
>
> Yes the certificate for Equifax Secure Certificate authority is added in the
> /etc/ssl/certs/ca-certificates.crt file
Prove it:
$ cat > issuer.pem <<EOF
2 subject: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
cert digest=73:59:75:5C:6D:F9:A0:AB:C3:06:0B:CE:36:95:64:C8:EC:45:42:A3
pkey digest=C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
EOF
$ openssl verify -CAfile /etc/ssl/certs/ca-certificates \
-purpose crlsign issuer.pem
The relevant "Authority Key Identifier" is:
48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
> >Did you tell Postfix what name to expect in the server certificate?
> >It does not contain the name alt4.gmail-smtp-in.l.google.com.
>
> what do you mean by that? Are you referring to the alternate names on the
> cert?
The full chain is below my signature. None of the names in that
certificate match "gmail.com", they're all "google.com" names, with
"mx.google.com" as the most appropriate name for this service.
However, before name checks come in play, you need to configure a
trusted issuer, in your CA file.
--
Viktor.
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
aspmx.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
alt1.aspmx.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
alt2.aspmx.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
alt3.aspmx.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
alt4.aspmx.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: Matched
subjectAltName: gmail-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
alt1.gmail-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
alt2.gmail-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
alt3.gmail-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
alt4.gmail-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
gmr-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
alt1.gmr-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
alt2.gmr-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
alt3.gmr-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
alt4.gmr-smtp-in.l.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
mx.google.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
aspmx2.googlemail.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
aspmx3.googlemail.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
aspmx4.googlemail.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25: subjectAltName:
aspmx5.googlemail.com
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25 CommonName
mx.google.com
posttls-finger: certificate verification failed for
gmail-smtp-in.l.google.com[74.125.29.27]:25: untrusted issuer
/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
posttls-finger: gmail-smtp-in.l.google.com[74.125.29.27]:25:
subject_CN=gmail-smtp-in.l.google.com, issuer_CN=Google Internet Authority G2,
fingerprint=22:82:B3:79:69:6A:72:15:05:F2:73:FA:1E:6B:BE:36:F0:BA:01:E2,
pkey_fingerprint=86:BB:05:08:F2:AF:5F:23:84:9F:BB:78:75:19:28:BF:B4:50:4F:92
posttls-finger: Untrusted TLS connection established to
gmail-smtp-in.l.google.com[74.125.29.27]:25: TLSv1.2 with cipher
ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
---
Certificate chain
0 subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
cert digest=22:82:B3:79:69:6A:72:15:05:F2:73:FA:1E:6B:BE:36:F0:BA:01:E2
pkey digest=86:BB:05:08:F2:AF:5F:23:84:9F:BB:78:75:19:28:BF:B4:50:4F:92
-----BEGIN CERTIFICATE-----
MIIGhDCCBWygAwIBAgIIa7+rjwrecGgwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNzE1MDg1NjE2WhcNMTUwNDA0MTUxNTU1
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu
Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXdZYGb
7GeyejZTesdEdsOt++RnNBWbXrpJR4pXU6F0iHzSBoP6FJLx755vKFlc7H/LicAL
dATo8MT6mPlJLUByivEQBzt+ueZOX1iNcYw3NEZXRjtEllxyYmQfHNFatjNAhCwV
o9euyYkut8CVwS/QJccCHs6fNoD7FcXJu8XfiRS2asKwFtxosXxH54VaOwNaeGbC
UOcT8jxYD5Nnp2luQZofVCIeeHOG9kRP7sUDdBvX7uTneetZLkn2CQQoisd9I4QE
6Gq3GRPeE9MkcY7e71+CYkTdUVLfzIYmkmg/MaN7rce4gTCzvQJ8D7ZF14GKk3Ih
YHSTda5NRUARp/0CAwEAAaOCA1AwggNMMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjCCAiYGA1UdEQSCAh0wggIZghJhc3BteC5sLmdvb2dsZS5jb22CF2Fs
dDEuYXNwbXgubC5nb29nbGUuY29tghdhbHQyLmFzcG14LmwuZ29vZ2xlLmNvbYIX
YWx0My5hc3BteC5sLmdvb2dsZS5jb22CF2FsdDQuYXNwbXgubC5nb29nbGUuY29t
ghpnbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0MS5nbWFpbC1zbXRwLWlu
LmwuZ29vZ2xlLmNvbYIfYWx0Mi5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIf
YWx0My5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIfYWx0NC5nbWFpbC1zbXRw
LWluLmwuZ29vZ2xlLmNvbYIYZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQx
Lmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0Mi5nbXItc210cC1pbi5sLmdv
b2dsZS5jb22CHWFsdDMuZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQ0Lmdt
ci1zbXRwLWluLmwuZ29vZ2xlLmNvbYINbXguZ29vZ2xlLmNvbYIVYXNwbXgyLmdv
b2dsZW1haWwuY29tghVhc3BteDMuZ29vZ2xlbWFpbC5jb22CFWFzcG14NC5nb29n
bGVtYWlsLmNvbYIVYXNwbXg1Lmdvb2dsZW1haWwuY29tMGgGCCsGAQUFBwEBBFww
WjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDAr
BggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNV
HQ4EFgQUBZHrxONQ35UlBbfg/kH906dTK4YwDAYDVR0TAQH/BAIwADAfBgNVHSME
GDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisGAQQB1nkC
BQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAcdpfy9yMh4NR4jtm7MPkk11iL81mDbTy
3L/sO2p1NrEUTiUtVKhV0hwOO7+tsOTfd1iR07QUFCiRW2GTlGpy4gvgXdAleT7e
1kKRIrD4p7O99xhmoKbaNVIGHMHoP393dmoFOV+OzdMjN4NTZwyvKieo5RuE/zOW
yjFt89bvnApJcpnY6sHoWeKvioBA4YiCU/U1Cb/8DMZ9yX9RkSqUJ0gosInMkTKg
H0wvLQNhSkbUYaRPme9FjFrvgDx/IFmzS1Fx2qSwRJUuAwbPd9cOefi+eXAfg9Mx
3aZYDlObs8lWrwjARkl9HpGdI4WUTRMwSCSuf51npgwVaa+PIiX9fg==
-----END CERTIFICATE-----
1 subject: /C=US/O=Google Inc/CN=Google Internet Authority G2
issuer: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
cert digest=D8:3C:1A:7F:4D:04:46:BB:20:81:B8:1A:16:70:F8:18:34:51:CA:24
pkey digest=43:DA:D6:30:EE:53:F8:A9:80:CA:6E:FD:85:F4:6A:A3:79:90:E0:EA
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
-----END CERTIFICATE-----
2 subject: /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
cert digest=73:59:75:5C:6D:F9:A0:AB:C3:06:0B:CE:36:95:64:C8:EC:45:42:A3
pkey digest=C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
