On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote:
> I recently upgraded my companies' mail server to 64 Debian Wheezy. I
> am using the Openssl package which is version 1.0.1e-2.
>
> I am having problems when trying to send a message to one of our
> business partners. The SMTP session appears to shut down and it
> appears that my server is rejecting their certificate.
>
> Here is the openssl command I am giving to diagnose the problem and
> it's output. Can anyone suggest a solution? It appears to me that
> I may be lacking an intermediary certificate. How do I fix this if
> this is the case?
>
> >openssl s_client -CApath /etc/ssl/certs/ -crlf -starttls smtp
> >-connect mail.thelawrencegroup.com:25
The posttls-finger(1) utility, included with Postfix 2.11 snapshot
source code, does a much better job of mail server TLS diagnostics.
Their certificate is expired. Your MTA really ought to log the
error reason. Consider a better MTA! :-)
$ posttls-finger "[mail.thelawrencegroup.com]"
posttls-finger: Connected to mail.thelawrencegroup.com[206.16.127.29]:25
posttls-finger: < 220 mail.thelawrencegroup.com Microsoft ESMTP MAIL
Service, Version: 6.0.3790.4675 ready at Fri, 27 Dec 2013 13:13:52 -0600
posttls-finger: > EHLO amnesiac.example
posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1]
posttls-finger: < 250-TURN
posttls-finger: < 250-SIZE
posttls-finger: < 250-ETRN
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-DSN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8bitmime
posttls-finger: < 250-BINARYMIME
posttls-finger: < 250-CHUNKING
posttls-finger: < 250-VRFY
posttls-finger: < 250-TLS
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN
posttls-finger: < 250-X-EXPS=LOGIN
posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN
posttls-finger: < 250-AUTH=LOGIN
posttls-finger: < 250-X-LINK2STATE
posttls-finger: < 250-XEXCH50
posttls-finger: < 250 OK
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 SMTP server ready
posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25 Matched
CommonName mail.thelawrencegroup.com
posttls-finger: server certificate verification failed for
mail.thelawrencegroup.com[206.16.127.29]:25: certificate has expired
posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25:
subject_CN=mail.thelawrencegroup.com, issuer_CN=VeriSign Class 3 Secure Server
CA, fingerprint=58:83:F8:69:1B:45:53:BA:21:36:19:01:B4:C9:7A:A9:54:62:79:57,
pkey_fingerprint=84:43:0D:55:D9:F8:D3:C5:59:D3:9D:33:42:B3:2E:A4:9B:FE:96:4D
posttls-finger: Untrusted TLS connection established to
mail.thelawrencegroup.com[206.16.127.29]:25: unknown with cipher RC4-MD5
(128/128 bits)
posttls-finger: > EHLO amnesiac.example
posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1]
posttls-finger: < 250-TURN
posttls-finger: < 250-SIZE
posttls-finger: < 250-ETRN
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-DSN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8bitmime
posttls-finger: < 250-BINARYMIME
posttls-finger: < 250-CHUNKING
posttls-finger: < 250-VRFY
posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN
posttls-finger: < 250-X-EXPS=LOGIN
posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN
posttls-finger: < 250-AUTH=LOGIN
posttls-finger: < 250-X-LINK2STATE
posttls-finger: < 250-XEXCH50
posttls-finger: < 250 OK
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 mail.thelawrencegroup.com Service closing
transmission channel
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
