On Jan 31, 2015, at 7:15 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > On Sat, Jan 31, 2015 at 05:16:33PM -0700, LuKreme wrote: > >> The start was just date stamp info and PID: >> >> Jan 31 01:52:10 mail postfix/smtpd[62297]: warning: TLS library problem: >> error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad >> certificate:s3_pkt.c:1293:SSL alert number 42: > > Which confirms that the problem is with your SMTP server as expected.
It does? I don’t know what in the error (especially with the addition of "Jan 31 01:52:10 mail postfix/smtpd[62297]:” would show where the error is. I am not questioning you, just saying I don’t understand the warning. It LOOKS like the other server is rejecting my self-signed key for opportunistic TLS. > Assume away, or look more carefully at your own certificate chain. $ posttls-finger mail.covisp.net posttls-finger: Connected to mail.covisp.net[75.148.37.66]:25 posttls-finger: < 220 mail.covisp.net ESMTP Postfix 2.11.3 posttls-finger: > EHLO mail.covisp.net posttls-finger: < 250-mail.covisp.net posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 26214400 posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-AUTH PLAIN LOGIN posttls-finger: < 250-AUTH=PLAIN LOGIN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250 DSN posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: mail.covisp.net[75.148.37.66]:25 Matched CommonName mail.covisp.net posttls-finger: certificate verification failed for mail.covisp.net[75.148.37.66]:25: self-signed certificate posttls-finger: mail.covisp.net[75.148.37.66]:25: subject_CN=mail.covisp.net, issuer_CN=mail.covisp.net, fingerprint=A9:27:59:D2:B0:43:AD:21:38:B9:CC:20:30:EF:7F:A1:98:4E:1B:CD, pkey_fingerprint=75:D3:56:46:97:6C:FB:7A:A3:FC:75:7D:82:C5:FD:67:AE:56:EA:B4 posttls-finger: Untrusted TLS connection established to mail.covisp.net[75.148.37.66]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) I know the cert is self-signed, and that’s unlikely to change. If that is the source of these warnings then I can ignore them.If it’s something else, though, and it’s something I can/should fix, then I’d like to fix it. >> Looking at the previous line, >> >> Jan 31 01:52:10 mail postfix/smtpd[62297]: SSL_accept error from >> mail-luna36.mailgun.org[173.193.210.36]: 0 >> >> Is that what you were looking for? > > Yes. http://www.mailgun.com/ > > $ posttls-finger "mailgun.org" > posttls-finger: Connected to mxb.mailgun.org[50.56.21.178]:25 > posttls-finger: < 220 ak47 ESMTP ready > > Perhaps their email ammunition includes some blanks. There cert fails as well: posttls-finger: mxa.mailgun.org[50.56.21.178]:25: Matched subjectAltName: *.mailgun.org posttls-finger: mxa.mailgun.org[50.56.21.178]:25: Matched subjectAltName: mailgun.org posttls-finger: mxa.mailgun.org[50.56.21.178]:25 CommonName *.mailgun.org posttls-finger: certificate verification failed for mxa.mailgun.org[50.56.21.178]:25: untrusted issuer /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA posttls-finger: mxa.mailgun.org[50.56.21.178]:25: subject_CN=*.mailgun.org, issuer_CN=RapidSSL CA, fingerprint=5E:CF:E0:76:D5:DE:D3:E7:A8:4A:A2:2D:3D:51:0B:A6:C6:07:79:6A, pkey_fingerprint=F8:51:2B:C8:22:08:63:42:90:C6:0B:6B:A0:68:A0:55:57:0C:EC:F6 posttls-finger: Untrusted TLS connection established to mxa.mailgun.org[50.56.21.178]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) -- A balanced diet is a cookie in each hand.
