On 01 Feb 2015, at 10:13, LuKreme <krem...@kreme.com> wrote: > On Jan 31, 2015, at 7:15 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> > wrote: >> On Sat, Jan 31, 2015 at 05:16:33PM -0700, LuKreme wrote: >> >>> The start was just date stamp info and PID: >>> >>> Jan 31 01:52:10 mail postfix/smtpd[62297]: warning: TLS library problem: >>> error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad >>> certificate:s3_pkt.c:1293:SSL alert number 42: >> >> Which confirms that the problem is with your SMTP server as expected. > > It does? I don’t know what in the error (especially with the addition of "Jan > 31 01:52:10 mail postfix/smtpd[62297]:” would show where the error is. I am > not questioning you, just saying I don’t understand the warning. It LOOKS > like the other server is rejecting my self-signed key for opportunistic TLS.
It's a local error, reflecting that an incoming SMTP connection found something wrong with your certificate. This is very dependent on the configuration of the SMTP client, however. They might reject self-signed certificates, but it looks like they also have issues with CA-signed ones, as the same error shows up for us, from the same source. See below. >> Assume away, or look more carefully at your own certificate chain. > > $ posttls-finger mail.covisp.net > posttls-finger: Connected to mail.covisp.net[75.148.37.66]:25 > posttls-finger: < 220 mail.covisp.net ESMTP Postfix 2.11.3 > posttls-finger: > EHLO mail.covisp.net > posttls-finger: < 250-mail.covisp.net > posttls-finger: < 250-PIPELINING > posttls-finger: < 250-SIZE 26214400 > posttls-finger: < 250-ETRN > posttls-finger: < 250-STARTTLS > posttls-finger: < 250-AUTH PLAIN LOGIN > posttls-finger: < 250-AUTH=PLAIN LOGIN > posttls-finger: < 250-ENHANCEDSTATUSCODES > posttls-finger: < 250-8BITMIME > posttls-finger: < 250 DSN > posttls-finger: > STARTTLS > posttls-finger: < 220 2.0.0 Ready to start TLS > posttls-finger: mail.covisp.net[75.148.37.66]:25 Matched CommonName > mail.covisp.net > posttls-finger: certificate verification failed for > mail.covisp.net[75.148.37.66]:25: self-signed certificate > posttls-finger: mail.covisp.net[75.148.37.66]:25: subject_CN=mail.covisp.net, > issuer_CN=mail.covisp.net, > fingerprint=A9:27:59:D2:B0:43:AD:21:38:B9:CC:20:30:EF:7F:A1:98:4E:1B:CD, > pkey_fingerprint=75:D3:56:46:97:6C:FB:7A:A3:FC:75:7D:82:C5:FD:67:AE:56:EA:B4 > posttls-finger: Untrusted TLS connection established to > mail.covisp.net[75.148.37.66]:25: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > > I know the cert is self-signed, and that’s unlikely to change. If that is the > source of these warnings then I can ignore them.If it’s something else, > though, and it’s something I can/should fix, then I’d like to fix it. This is the same test, from our secondary to primary MX; == $ /usr/sbin/posttls-finger -P/etc/ssl/certs narya.dtnx.eu posttls-finger: Connected to narya.dtnx.eu[2a01:7c8:aaae:117::1]:25 posttls-finger: < 220-narya.dtnx.eu ESMTP posttls-finger: < 220 narya.dtnx.eu ESMTP posttls-finger: > EHLO vilya.dtnx.org posttls-finger: < 250-narya.dtnx.eu posttls-finger: < 250-SIZE 31457280 posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250 8BITMIME posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: narya.dtnx.eu[2a01:7c8:aaae:117::1]:25: Matched subjectAltName: narya.dtnx.eu posttls-finger: narya.dtnx.eu[2a01:7c8:aaae:117::1]:25: subjectAltName: www.narya.dtnx.eu posttls-finger: narya.dtnx.eu[2a01:7c8:aaae:117::1]:25 CommonName narya.dtnx.eu posttls-finger: narya.dtnx.eu[2a01:7c8:aaae:117::1]:25: subject_CN=narya.dtnx.eu, issuer_CN=COMODO RSA Domain Validation Secure Server CA, fingerprint=F4:82:35:32:47:4B:B3:19:8A:29:3B:A3:58:CE:EB:B9:30:61:5B:B8, pkey_fingerprint=CF:A3:38:82:19:81:15:E3:4A:4F:AC:9E:78:AA:E1:7B:B1:48:24:DE posttls-finger: Verified TLS connection established to narya.dtnx.eu[2a01:7c8:aaae:117::1]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) posttls-finger: > EHLO vilya.dtnx.org posttls-finger: < 250-narya.dtnx.eu posttls-finger: < 250-SIZE 31457280 posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250 8BITMIME posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye == Trusted by the Mozilla root certificate store, yet MailGun still barfs on it. Some examples from Friday; == 2015-01-30T17:09:14.879593+01:00 narya postfix/smtpd[3693]: connect from mail-d138.mailgun.org[208.43.239.138] 2015-01-30T17:09:15.325928+01:00 narya postfix/smtpd[3693]: SSL_accept error from mail-d138.mailgun.org[208.43.239.138]: 0 2015-01-30T17:09:15.326172+01:00 narya postfix/smtpd[3693]: warning: TLS library problem: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1262:SSL alert number 42: 2015-01-30T17:09:15.326412+01:00 narya postfix/smtpd[3693]: lost connection after STARTTLS from mail-d138.mailgun.org[208.43.239.138] 2015-01-30T17:09:15.326678+01:00 narya postfix/smtpd[3693]: disconnect from mail-d138.mailgun.org[208.43.239.138] == 2015-01-30T19:17:39.176912+01:00 narya postfix/smtpd[4332]: connect from mail-p183.mailgun.org[184.173.153.183] 2015-01-30T19:17:39.626257+01:00 narya postfix/smtpd[4332]: SSL_accept error from mail-p183.mailgun.org[184.173.153.183]: 0 2015-01-30T19:17:39.626499+01:00 narya postfix/smtpd[4332]: warning: TLS library problem: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1262:SSL alert number 42: 2015-01-30T19:17:39.626885+01:00 narya postfix/smtpd[4332]: lost connection after STARTTLS from mail-p183.mailgun.org[184.173.153.183] 2015-01-30T19:17:39.627266+01:00 narya postfix/smtpd[4332]: disconnect from mail-p183.mailgun.org[184.173.153.183] == Happens with all their domains; 'mailgun.org', 'mailgun.us' etc. We switched from self-signed to CA-signed to see if it would resolve the issue, but it did not. At this point we're basically assuming that it's their problem, as they are the only sender that exhibits this behaviour. >>> Looking at the previous line, >>> >>> Jan 31 01:52:10 mail postfix/smtpd[62297]: SSL_accept error from >>> mail-luna36.mailgun.org[173.193.210.36]: 0 >>> >>> Is that what you were looking for? >> >> Yes. http://www.mailgun.com/ >> >> $ posttls-finger "mailgun.org" >> posttls-finger: Connected to mxb.mailgun.org[50.56.21.178]:25 >> posttls-finger: < 220 ak47 ESMTP ready >> >> Perhaps their email ammunition includes some blanks. > > There cert fails as well: > > posttls-finger: mxa.mailgun.org[50.56.21.178]:25: Matched subjectAltName: > *.mailgun.org > posttls-finger: mxa.mailgun.org[50.56.21.178]:25: Matched subjectAltName: > mailgun.org > posttls-finger: mxa.mailgun.org[50.56.21.178]:25 CommonName *.mailgun.org > posttls-finger: certificate verification failed for > mxa.mailgun.org[50.56.21.178]:25: untrusted issuer /C=US/O=GeoTrust > Inc./CN=GeoTrust Global CA > posttls-finger: mxa.mailgun.org[50.56.21.178]:25: subject_CN=*.mailgun.org, > issuer_CN=RapidSSL CA, > fingerprint=5E:CF:E0:76:D5:DE:D3:E7:A8:4A:A2:2D:3D:51:0B:A6:C6:07:79:6A, > pkey_fingerprint=F8:51:2B:C8:22:08:63:42:90:C6:0B:6B:A0:68:A0:55:57:0C:EC:F6 > posttls-finger: Untrusted TLS connection established to > mxa.mailgun.org[50.56.21.178]:25: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Unless you specify a source of trusted certificates, posttls-finger trusts nothing; 'By default no CApath is used and no public CAs are trusted.' Here's the same test, with '-P'; == $ /usr/sbin/posttls-finger -P/etc/ssl/certs mailgun.org posttls-finger: Connected to mxb.mailgun.org[50.56.21.178]:25 posttls-finger: < 220 ak47 ESMTP ready posttls-finger: > EHLO vilya.dtnx.org posttls-finger: < 250-ak47 posttls-finger: < 250-AUTH PLAIN LOGIN posttls-finger: < 250-SIZE 52428800 posttls-finger: < 250-8BITMIME posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250 STARTTLS posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Start TLS posttls-finger: mxb.mailgun.org[50.56.21.178]:25: Matched subjectAltName: *.mailgun.org posttls-finger: mxb.mailgun.org[50.56.21.178]:25: Matched subjectAltName: mailgun.org posttls-finger: mxb.mailgun.org[50.56.21.178]:25 CommonName *.mailgun.org posttls-finger: mxb.mailgun.org[50.56.21.178]:25: subject_CN=*.mailgun.org, issuer_CN=RapidSSL CA, fingerprint=5E:CF:E0:76:D5:DE:D3:E7:A8:4A:A2:2D:3D:51:0B:A6:C6:07:79:6A, pkey_fingerprint=F8:51:2B:C8:22:08:63:42:90:C6:0B:6B:A0:68:A0:55:57:0C:EC:F6 posttls-finger: Verified TLS connection established to mxb.mailgun.org[50.56.21.178]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) posttls-finger: > EHLO vilya.dtnx.org posttls-finger: < 250-ak47 posttls-finger: < 250-AUTH PLAIN LOGIN posttls-finger: < 250-SIZE 52428800 posttls-finger: < 250-8BITMIME posttls-finger: < 250 ENHANCEDSTATUSCODES posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye == So that isn't the issue. By the way, CA-signed certificates start at less than $10/year, so if you ever do run into an issue which might be resolved by getting one, and your configuration isn't too complex, I would suggest spending that little bit of money. Not the case here though, as far as I can tell :-) HTH, Joni
