Thank you. It’s appreciated. I’ll work on the other issue and see if I can solve it.
Regards, Wayne Wayne Spivak SBA.NET.WEB A div of SBA * Consulting LTD Tel LI: +1 (516) 221-3306 NY Tel: +1 (212) 487-5085 Tel CT: +1-860-760-0250 Fax: +1 (516) 387-1184 mailto:[email protected] http://www.sbaconsulting.com LinkedIn: http://LinkedIn.com/in/WayneSpivak Twitter: @SBAConsult Skype: SBAConsult Sent from my iPhone; typos expected and endorsed by Apple > On Jan 19, 2022, at 5:32 PM, Viktor Dukhovni <[email protected]> > wrote: > > On Wed, Jan 19, 2022 at 05:07:38PM -0500, Wayne Spivak wrote: > >> That was the solution for TLS failing when I start postfix: >> >> perl -lne print file1 file2 file3 > > And now your server has the intermediate issuer in its chain, and > verification works: > > posttls-finger: mcq.sbanetweb.com[96.224.250.24]:25: matched peername: > mcq.sbanetweb.com > posttls-finger: mcq.sbanetweb.com[96.224.250.24]:25: > subject_CN=mcq.sbanetweb.com, issuer_CN=Entrust Certification Authority - > L1K, > fingerprint=1E:69:25:44:74:52:B4:C5:AA:C4:9F:7C:E8:F7:0B:96:A7:35:A9:F6:60:1F:D4:07:30:CD:B3:6B:99:69:88:EC, > > pkey_fingerprint=89:F7:3F:9B:2F:6F:F1:51:7B:4E:4C:CD:D5:5D:CB:C7:CE:CA:75:C9:CF:D8:73:EB:08:D2:71:1A:48:8E:FC:CD > posttls-finger: Verified TLS connection established to > mcq.sbanetweb.com[96.224.250.24]:25: TLSv1.3 with cipher > TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature > RSA-PSS (2048 bits) server-digest SHA256 > >> [root@mcq postfix]# posttls-finger -cC -lsecure '[mcq.sbanetweb.com]' > > This does not use any trust-anchor certs, so verification is sure to > fail when the intermediate issuer can't be verified. This is expected > and normal. You'd need to specify a CAfile ("-F CAfile" option), but > that's not necessary, it works. > >> posttls-finger: warning: DNSSEC validation may be unavailable >> posttls-finger: warning: reason: dnssec_probe 'ns:.' received a response >> that is not DNSSEC validated > > Your resolver is not a validating resolver. This is harmless if you're > not using DANE. > >> posttls-finger: certificate verification failed for >> mcq.sbanetweb.com[96.224.250.24]:25: untrusted issuer /C=US/O=Entrust, >> Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for >> authorized use only/CN=Entrust Root Certification Authority - G2 > > As expected. You're all set. > >> I'm also getting an error on submission in the log, Error is no such >> file/directory. > > Start a new thread and post all relevant logs and configuration details. > > -- > Viktor.
