On Tue, Dec 22, 2020 at 02:26:08PM -0500, James B. Byrne wrote:
> > Your suspicions are unfounded. The client is rejecting the server's
> > certificate chain with a fatal certificate unknown alert. That's the
> > issue to fix. All else is distraction.
>
> After reviewing Postix logs with smtpd_tls_logging turned up to 3 I arrived at
> the same conclusion a little while ago. I am just bereft of ideas as to how
> to
> proceed at the moment.
There's nothing further you can learn on the Postfix side of things, the
only actionable information available is that the client is unable to
verify the server's certificate chain.
Assuming the server is returning a sufficiently complete chain
(including all requisite intermediate certs), all further debugging is
entirely a client-side problem, with whatever diagnostic tools and
logging are available there.
There is nothing further that Postfix can do for you.
Though mostly unlikely, one last thing to consider is whether the
client in question has (possibly broken) DANE support? If the server in
question has DANE TLSA records like your public MX hosts:
harte-lyne.ca. IN MX 70 mx31.harte-lyne.ca.
harte-lyne.ca. IN MX 80 mx32.harte-lyne.ca.
harte-lyne.ca. IN MX 90 mx131.harte-lyne.ca.
harte-lyne.ca. IN MX 100 mx132.harte-lyne.ca.
harte-lyne.ca. IN MX 200 mx118.harte-lyne.ca.
harte-lyne.ca. IN MX 200 mx119.harte-lyne.ca.
mx31.harte-lyne.ca. IN A 216.185.71.31
mx31.harte-lyne.ca. IN AAAA ?
_25._tcp.mx31.harte-lyne.ca. IN CNAME _tlsa._dane.trust.harte-lyne.ca.
_tlsa._dane.trust.harte-lyne.ca. IN TLSA 2 0 2
67274b355428905895c6b581950e0ed4f7d043f31f7e7020b716b7faa06776b6aadd33e127624b6e8c75c520a01d9cad3bd29f18fa7dcb3d5fd3917510e6722a
_tlsa._dane.trust.harte-lyne.ca. IN TLSA 2 1 2
380259229e21a1946b38cfc594cbc993b61bc93762b7b6c6637b3eef9c5a2bb70c589b91beb73bd1304eac11b3917e33819e2b47d25d4966435a2a3e83c1f80f
_tlsa._dane.trust.harte-lyne.ca. IN TLSA 2 1 2
c26e0ec16a46a97386e8f31f8ecc971f2d73136aa377dfdaac2b2b00f7cab4bb29b17d913c82093b41fd0d9e40b66a68361c126f1f4017f9ce60eabc5adba90e
mx32.harte-lyne.ca. IN A 216.185.71.32
mx32.harte-lyne.ca. IN AAAA ?
_25._tcp.mx32.harte-lyne.ca. IN CNAME _tlsa._dane.trust.harte-lyne.ca.
mx131.harte-lyne.ca. IN A 216.185.71.131
mx131.harte-lyne.ca. IN AAAA ?
_25._tcp.mx131.harte-lyne.ca. IN CNAME _tlsa._dane.trust.harte-lyne.ca.
mx132.harte-lyne.ca. IN A 216.185.71.132
mx132.harte-lyne.ca. IN AAAA ?
_25._tcp.mx132.harte-lyne.ca. IN CNAME _tlsa._dane.trust.harte-lyne.ca.
mx118.harte-lyne.ca. IN A 216.185.71.118
mx118.harte-lyne.ca. IN AAAA ?
_25._tcp.mx118.harte-lyne.ca. IN CNAME _tlsa._dane.trust.harte-lyne.ca.
mx119.harte-lyne.ca. IN A 216.185.71.119
mx119.harte-lyne.ca. IN AAAA ?
_25._tcp.mx119.harte-lyne.ca. IN CNAME _tlsa._dane.trust.harte-lyne.ca.
Perhaps the client is failing to verify those. I'm not aware of any
mainstream Java Mail implementations that support DANE (correctly or
otherwise), but perhaps some are now becoming available.
--
Viktor.
