On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote: > I recently upgraded my companies' mail server to 64 Debian Wheezy. I > am using the Openssl package which is version 1.0.1e-2. > > I am having problems when trying to send a message to one of our > business partners. The SMTP session appears to shut down and it > appears that my server is rejecting their certificate. > > Here is the openssl command I am giving to diagnose the problem and > it's output. Can anyone suggest a solution? It appears to me that > I may be lacking an intermediary certificate. How do I fix this if > this is the case? > > >openssl s_client -CApath /etc/ssl/certs/ -crlf -starttls smtp > >-connect mail.thelawrencegroup.com:25
The posttls-finger(1) utility, included with Postfix 2.11 snapshot source code, does a much better job of mail server TLS diagnostics. Their certificate is expired. Your MTA really ought to log the error reason. Consider a better MTA! :-) $ posttls-finger "[mail.thelawrencegroup.com]" posttls-finger: Connected to mail.thelawrencegroup.com[206.16.127.29]:25 posttls-finger: < 220 mail.thelawrencegroup.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Fri, 27 Dec 2013 13:13:52 -0600 posttls-finger: > EHLO amnesiac.example posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1] posttls-finger: < 250-TURN posttls-finger: < 250-SIZE posttls-finger: < 250-ETRN posttls-finger: < 250-PIPELINING posttls-finger: < 250-DSN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8bitmime posttls-finger: < 250-BINARYMIME posttls-finger: < 250-CHUNKING posttls-finger: < 250-VRFY posttls-finger: < 250-TLS posttls-finger: < 250-STARTTLS posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN posttls-finger: < 250-X-EXPS=LOGIN posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN posttls-finger: < 250-AUTH=LOGIN posttls-finger: < 250-X-LINK2STATE posttls-finger: < 250-XEXCH50 posttls-finger: < 250 OK posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 SMTP server ready posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25 Matched CommonName mail.thelawrencegroup.com posttls-finger: server certificate verification failed for mail.thelawrencegroup.com[206.16.127.29]:25: certificate has expired posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25: subject_CN=mail.thelawrencegroup.com, issuer_CN=VeriSign Class 3 Secure Server CA, fingerprint=58:83:F8:69:1B:45:53:BA:21:36:19:01:B4:C9:7A:A9:54:62:79:57, pkey_fingerprint=84:43:0D:55:D9:F8:D3:C5:59:D3:9D:33:42:B3:2E:A4:9B:FE:96:4D posttls-finger: Untrusted TLS connection established to mail.thelawrencegroup.com[206.16.127.29]:25: unknown with cipher RC4-MD5 (128/128 bits) posttls-finger: > EHLO amnesiac.example posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1] posttls-finger: < 250-TURN posttls-finger: < 250-SIZE posttls-finger: < 250-ETRN posttls-finger: < 250-PIPELINING posttls-finger: < 250-DSN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8bitmime posttls-finger: < 250-BINARYMIME posttls-finger: < 250-CHUNKING posttls-finger: < 250-VRFY posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN posttls-finger: < 250-X-EXPS=LOGIN posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN posttls-finger: < 250-AUTH=LOGIN posttls-finger: < 250-X-LINK2STATE posttls-finger: < 250-XEXCH50 posttls-finger: < 250 OK posttls-finger: > QUIT posttls-finger: < 221 2.0.0 mail.thelawrencegroup.com Service closing transmission channel -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org