On Thu, Feb 03, 2022 at 08:24:07AM -0500, Martin Hicks wrote:
> There is an smtp server that is trying to send e-mail to my
> domain, but with an expired certificate:
At this point, what's needed to help you are outputs from "postconf -nf"
and "postconf -Mf" (verbatim with no changes in whitespace), posted to
the list, not a "pastbin".
> Feb 2 11:20:52 darwin postfix/smtpd[9181]: connect from
> r114.mail.aircanada.com[172.82.216.114]
> Feb 2 11:20:52 darwin postfix/smtpd[9181]: SSL_accept error from
> r114.mail.aircanada.com[172.82.216.114]: -1
> Feb 2 11:20:52 darwin postfix/smtpd[9181]: warning: TLS library problem:
> error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate
> expired:../ssl/record/rec_layer_s3.c:1544:SSL alert number 45:
> Feb 2 11:20:52 darwin postfix/smtpd[9181]: lost connection after STARTTLS
> from r114.mail.aircanada.com[172.82.216.114]
> Feb 2 11:20:52 darwin postfix/smtpd[9181]: disconnect from
> r114.mail.aircanada.com[172.82.216.114] ehlo=1 starttls=0/1 commands=1/2
As noted by Bastian Blank, this looks more like the remote client
reporting the expiration of your certificates, though it is possible
that what's expired is some trust-anchor in that clients list of trusted
CAs that it associates with your certs. A quick connection to your
server shows:
Not Before: Jan 7 04:13:32 2022 GMT
Not After : Apr 7 04:13:31 2022 GMT
Subject: CN=darwin.bork.org
Not Before: Sep 4 00:00:00 2020 GMT
Not After : Sep 15 16:00:00 2025 GMT
Subject: C=US, O=Let's Encrypt, CN=R3
Not Before: Jan 20 19:14:03 2021 GMT
Not After : Sep 30 18:14:03 2024 GMT
Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X1
None of these are expired. Unless you have other certificate chains
configured via SNI (possibly expired), the problem could be entirely
on the sender (client) side.
> Is there a way to configure postfix to accept a TLS connection, despite
> the expired certificate? I looked at smtp_tls_policy, but is that only
> for outbound smtp configuration?
Typically, on port 25 client certificates are not requested, and thus
never sent, so you'd never see any, expired or otherwise. Even if you
request client certs, you'd use "ask_ccert" not "req_ccert" and expired
certificates would still be accepted.
> I tried getting more info about the certificate, but even with
> smtpd_tls_loglevel=2 I don't actually get a copy of the certificate
> printed in the logs. I'm also not able to query the certificate from
> these servers using `openssl s_client`.
The servers in question appear to be operated by Adobe on behalf of
aircanada, as a SaaS B2C email platform. They probably aren't inbound
SMTP servers, that duty likely falls on other machines, with a different
configuration, and their certificate chains are not necessarily
illuminating.
--
Viktor.
