Re: Doing something wrong.

Viktor Dukhovni Wed, 19 Jan 2022 12:40:20 -0800

On Wed, Jan 19, 2022 at 03:22:36PM -0500, Wayne Spivak wrote:

> I set the server back, because otherwise my email wasn't working properly.


And for some reason decided to not explain (show logs, ...) of what "not
working properly" means. :-(  Crystal ball very cloudy on my end...

> smtp_tls_CAfile = /etc/postfix/tls/ChainBundle.pem
> smtp_tls_CApath = /etc/postfix/tls/
> smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
> smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
> smtp_tls_security_level = may

Add:

    smtp_tls_loglevel = 1

> smtpd_tls_cert_file = /etc/postfix/tls/ServerCert-combined.pem

This file contains just the server certificate.  Did you append
the (PEM formatted) issuer certificate(s)?

> smtp       inet  n       -       n       -       -       smtpd
> submission inet  n       -       n       -       -       smtpd
>     -o syslog_name=postfix/submission
>     -o smtpd_tls_security_level=encrypt
>     -o smtpd_sasl_auth_enable=yes
>     -o smtpd_client_restrictions=permit_sasl_authenticated
>     -o milter_macro_daemon_name=ORIGINATING

The client restrictions are missing a default deny, so are basically
a slower variant of "permit".  And you don't reset the other restrictions.
Start with the stock templates:

    submission inet n       -       n       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_tls_auth_only=yes
      -o smtpd_reject_unlisted_recipient=no
      -o smtpd_client_restrictions=$mua_client_restrictions
      -o smtpd_helo_restrictions=$mua_helo_restrictions
      -o smtpd_sender_restrictions=$mua_sender_restrictions
      -o smtpd_recipient_restrictions=
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING
    smtps     inet  n       -       n       -       -       smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_reject_unlisted_recipient=no
      -o smtpd_client_restrictions=$mua_client_restrictions
      -o smtpd_helo_restrictions=$mua_helo_restrictions
      -o smtpd_sender_restrictions=$mua_sender_restrictions
      -o smtpd_recipient_restrictions=
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING

> [root@mcq postfix]# openssl crl2pkcs7 -nocrl -certfile $(postconf -xh 
> smtpd_tls_cert_file) |
>         openssl pkcs7 -print_certs -noout |
>         grep subject=
> subject=C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
> mcq.sbanetweb.com

Just the one certificate.  You need to append the intermediate CA certificates.
PEM format, each starts with "-----BEGIN CERTIFICATE-----" line and ends
with an "-----END CERTIFICATE-----" line.

In my case:

    # grep '^---' /...full-path.../combo.pem
    -----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----

-- 
    Viktor.

Re: Doing something wrong.

Reply via email to