Hello Hope you'll be able to help me again, I'm having problems with a postfix (2.8.5) not being able to send e-mail to a domain because the server certificate is untrusted and the TLS policy is set to "verify". It used to work, but the certificate of the site has changed.
The domain in question is sdz-rhein-ruhr.de, its MX hosts are published in the DNS as: - 10 mx16a.antispameurope.com - 20 mx16b.antispameurope.com - 30 mx16c.antispameurope.com - 40 mx16d.antispameurope.com I performed "echo QUIT | openssl s_client \ -connect mx16a.antispameurope.com:25 -starttls smtp \ -showcerts 2>&1 | tee mx16a.antispameurope.com.txt" and extracted the server certificate as well as the intermediate CA certificate (the root CA certificateis not presented by the server). The certificate chain documented by s_client is as follows: Certificate chain 0 s:/C=DE/O=antispameurope GmbH/OU=IT/ST=NDS/L=Hannover/emailAddress=hofm...@antispameurope.com/CN=*.antispameurope.com i:/C=DE/O=T-Systems International GmbH/OU=T-Systems Trust Center/ST=Nordrhein Westfalen/postalCode=57250/L=Netphen/streetAddress=Untere Industriestr. 20/CN=TeleSec ServerPass DE-2 1 s:/C=DE/O=T-Systems International GmbH/OU=T-Systems Trust Center/ST=Nordrhein Westfalen/postalCode=57250/L=Netphen/streetAddress=Untere Industriestr. 20/CN=TeleSec ServerPass DE-2 i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 I had neither the intermediate CA certificate nor the root CA certificate in the postfix CA certificate store, so I downloaded the root CA certificate from https://www.telesec.de/de/public-key-infrastruktur/support/root-zertifikate/category/58-deutsche-telekom-root-ca-2, converted it to PEM format, verified that the intermediate CA certificate verifies against it and stuck both the intermediate CA certificate as well as the root CA certificate into the postfix CApath, then called c_rehash on that directory. An "openssl verify" on the server certificate works: root@host:~# postconf smtp_tls_CApath smtp_tls_CApath = /etc/postfix/cacerts root@host:~# openssl verify -CApath /etc/postfix/cacerts \ mx16a.antispameurope.com.cert.pem mx16a.antispameurope.com.cert.pem: OK But the postfix smtp client fails to verify: postfix/qmgr[4502]: 324F260010: from=<root>, size=627, nrcpt=1 (queue active) postfix/smtp[4535]: setting up TLS connection to mx16a.antispameurope.com[94.100.134.100]:25 postfix/smtp[4535]: mx16a.antispameurope.com[94.100.134.100]:25: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL" postfix/smtp[4535]: looking for session smtp:94.100.134.100:25:mx-gate28-dus.antispameurope.com&p=1&c=ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL in smtp cache postfix/tlsmgr[4508]: lookup smtp session id=smtp:94.100.134.100:25:mx-gate28-dus.antispameurope.com&p=1&c=ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL postfix/smtp[4535]: mx16a.antispameurope.com[94.100.134.100]:25: certificate verification depth=2 verify=1 subject=/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 postfix/smtp[4535]: mx16a.antispameurope.com[94.100.134.100]:25: certificate verification depth=1 verify=0 subject=/C=DE/O=T-Systems International GmbH/OU=T-Systems Trust Center/ST=Nordrhein Westfalen/postalCode=57250/L=Netphen/streetAddress=Untere Industriestr. 20/CN=TeleSec ServerPass DE-2 postfix/smtp[4535]: CA certificate verification failed for mx16a.antispameurope.com[94.100.134.100]:25: num=7:certificate signature failure postfix/smtp[4535]: mx16a.antispameurope.com[94.100.134.100]:25: certificate verification depth=1 verify=1 subject=/C=DE/O=T-Systems International GmbH/OU=T-Systems Trust Center/ST=Nordrhein Westfalen/postalCode=57250/L=Netphen/streetAddress=Untere Industriestr. 20/CN=TeleSec ServerPass DE-2 postfix/smtp[4535]: mx16a.antispameurope.com[94.100.134.100]:25: certificate verification depth=0 verify=0 subject=/C=DE/O=antispameurope GmbH/OU=IT/ST=NDS/L=Hannover/emailAddress=hofm...@antispameurope.com/CN=*.antispameurope.com postfix/smtp[4535]: mx16a.antispameurope.com[94.100.134.100]:25: certificate verification depth=0 verify=1 subject=/C=DE/O=antispameurope GmbH/OU=IT/ST=NDS/L=Hannover/emailAddress=hofm...@antispameurope.com/CN=*.antispameurope.com postfix/smtp[4535]: save session smtp:94.100.134.100:25:mx-gate28-dus.antispameurope.com&p=1&c=ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL to smtp cache postfix/tlsmgr[4508]: put smtp session id=smtp:94.100.134.100:25:mx-gate28-dus.antispameurope.com&p=1&c=ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL [data 2276 bytes] postfix/tlsmgr[4508]: write smtp TLS cache entry smtp:94.100.134.100:25:mx-gate28-dus.antispameurope.com&p=1&c=ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL: time=1422952827 [data 2276 bytes] postfix/smtp[4535]: Untrusted TLS connection established to mx16a.antispameurope.com[94.100.134.100]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) postfix/smtp[4535]: 324F260010: Server certificate not trusted Since it's set to "verify", it then attempts the next MX host, with the same result, and so on, and in the end the e-mail is deferred. I'm puzzled and would really appreciate any help. Cheers, Tobias
