On Fri, Aug 04, 2017 at 12:31:53PM +0530, hyndavirap...@bel.co.in wrote:
> >> Can you help me to solve this problem
> >
> > Not without the requested logging, and copy of the server and CA
> > certificates.
> TLS logging is as below,
> Aug 4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25:
> certificate verification depth=1 verify=1
Your nexthop domain is "201.123.1.4" what is the verbatim entry in
the transport table that makes it so?
> Aug 4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25:
> subject_CN=1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in,
The subject CN is:
subject_CN=1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in
not "1CorpHQ"! That "/emailaddress" is, despite appearances to
the contrary, part of the subject CN and not a separate RDN component.
> issuer_CN=CA/emailAddress=ca_ad...@bel.co.in,
Ditto here, though that is not a problem.
> Aug 4 11:52:29 AHQ postfix/smtp[11652]: Trusted TLS connection
> established to 201.123.1.4[201.123.1.4]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
The certificate chain is valid, but the name does not match.
> tls_policy entry is given below
>
> [201.123.1.4]:25 secure match=1CorpHQ
Do make sure that the transport table entry is:
1CorpHQ.tcs.mil.in smtp:[201.123.1.4]:25
and not some variant. On the other hand, I would have gone with
just:
transport:
1CorpHQ.tcs.mil.in smtp:[201.123.1.4]
tls_policy:
[201.123.1.4] secure match=1CorpHQ
i.e. leave off the implicit ":25" in both. Of course your real
problem is the "/emailaddress=..." in the subject CN.
You posted only the text form of the certificate, the evidence would
have been more conclusion with the actual PEM certificate included.
--
Viktor.
