On Mon, December 21, 2020 12:30, James B. Byrne wrote:
> I have gotten to the point that the keystore used by the jetty application is
> properly configured:
>
> JAVA_VERSION="12" java
> -Djavax.net.ssl.trustStore=/opt/idempiere/idempiere-server/jettyhome/etc/keystore
> -Djavax.net.ssl.trustStorePassword=testing SSLPoke mx32.harte-lyne.ca 465
> Successfully connected
>
> This means that the server's certificate is properly recognized by the client
> host.
>
> However, we nonetheless get this error from Postfix when we send a test email
> through the application:
>
> Dec 21 12:25:21 mx32 postfix-p25/smtpd[62565]: warning: TLS library problem:
> error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
> unknown:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert
> number
> 46:
> Dec 21 12:25:21 mx32 postfix-p25/smtpd[62565]: lost connection after STARTTLS
> from accounting-2.internal.harte-lyne.ca[192.168.216.88]
>
> I believe that this is telling me that the application is attempting to
> establish an SSL connection using STARTTLS. However, the error referencing
> the
> certificate is mystifying to me.
>
> Can someone explain to me what this error means?
>
Let me guess. We do not allow SSLv3. The application uses SSLv3.
Our settings:
smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv3, !SSLv2
smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, !SSLv3, !SSLv2
And submission requires encryption:
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
So no fallback is possible. If this is the problem.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
