Re: [mailop] TLS verify=FAIL

Wed, 13 Apr 2016 15:42:34 -0700 

Hi Robert,

I'm one of the developers of Haraka.
verify=FAIL simply means that the TLS certificate presented by the peer host could not be verified as trusted by a CA. In the case of an MUA (which this appears to be), it would be normal as an MUA does not usually present client TLS certificates, so this would always be expected to fail verification because we have no certificate to verify against, so I changed this in the latest alpha say verify=NO meaning we couldn't verify the certificate as one wasn't presented. 

Your logs will provide more information e.g.:
haraka[1124]: [INFO] [E11963C4-DB93-4F29-BC81-E066E3D3D369] [defendermx/tls] secured: cipher=ECDHE-RSA-AES256-SHA38 4 version=TLSv1/SSLv3 verified=false error="Error: unable to get issuer certificate"
haraka[12586]: [INFO] [60ACFC0C-7DD8-4A3C-85F7-ED21F673E23F] [defendermx/tls] secured: cipher=ECDHE-RSA-AES128-GCM-SHA256 version=TLSv1/SSLv3 verified=true cn="smtp.gmail.com" organization="Google Inc" issuer="Google Inc" expires="Oct 12 00:00:00 2016 GMT" fingerprint=41:D4:85:E1:FC:1B:1D:3A:2D:60:E3:51:AB:E6:4A:A4:52:D8:CF:00 

In short - it's really nothing to be concerned with.

Kind regards,
Steve.


On 13/04/16 22:56, Robert Guthrie via mailop.org wrote:

Hello List,
I wonder if someone could tell me about the verify=FAIL messages I'm seeing in email headers sent from my SMTP's. 
Received: fromloomio.io <http://loomio.io>  (errbit.loomio.org 
<http://errbit.loomio.org>  [45.55.128.240])
        bysmtp.loomio.io <http://smtp.loomio.io>  (Haraka/2.8.0-alpha.7) with 
ESMTPSA id 632790F7-CF56-4481-ACBA-2CBACE7EB8BB.1
        envelope-from <err...@loomio.io <mailto:err...@loomio.io>> 
(authenticated bits=0)
        (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384*verify=FAIL*);
        Wed, 13 Apr 2016 21:05:59 +0000
If I'm seeing this, is there something I can or should do to resolve this?
Sometimes I see verify=NO also.


_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to