On 12/27/2013 01:29 PM, Viktor Dukhovni wrote:
On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote:
I recently upgraded my companies' mail server to 64 Debian Wheezy. I
am using the Openssl package which is version 1.0.1e-2.
I am having problems when trying to send a message to one of our
business partners. The SMTP session appears to shut down and it
appears that my server is rejecting their certificate.
Here is the openssl command I am giving to diagnose the problem and
it's output. Can anyone suggest a solution? It appears to me that
I may be lacking an intermediary certificate. How do I fix this if
this is the case?
openssl s_client -CApath /etc/ssl/certs/ -crlf -starttls smtp
-connect mail.thelawrencegroup.com:25
The posttls-finger(1) utility, included with Postfix 2.11 snapshot
source code, does a much better job of mail server TLS diagnostics.
Their certificate is expired. Your MTA really ought to log the
error reason. Consider a better MTA! :-)
I don't see anywhere that it says expired other than this utility. How
can I verify that it is really expired? These guys do business with
lots of other people but have not noticed anything except with us. The
openssl error code 20 indicates an improper intermediate CA from what I
can find. Also using this site indicates no problem:
http://www.checktls.com/testreceiver.html
Is there another way to verify the expiration?
$ posttls-finger "[mail.thelawrencegroup.com]"
posttls-finger: Connected to mail.thelawrencegroup.com[206.16.127.29]:25
posttls-finger: < 220 mail.thelawrencegroup.com Microsoft ESMTP MAIL
Service, Version: 6.0.3790.4675 ready at Fri, 27 Dec 2013 13:13:52 -0600
posttls-finger: > EHLO amnesiac.example
posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1]
posttls-finger: < 250-TURN
posttls-finger: < 250-SIZE
posttls-finger: < 250-ETRN
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-DSN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8bitmime
posttls-finger: < 250-BINARYMIME
posttls-finger: < 250-CHUNKING
posttls-finger: < 250-VRFY
posttls-finger: < 250-TLS
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN
posttls-finger: < 250-X-EXPS=LOGIN
posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN
posttls-finger: < 250-AUTH=LOGIN
posttls-finger: < 250-X-LINK2STATE
posttls-finger: < 250-XEXCH50
posttls-finger: < 250 OK
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 SMTP server ready
posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25 Matched
CommonName mail.thelawrencegroup.com
posttls-finger: server certificate verification failed for
mail.thelawrencegroup.com[206.16.127.29]:25: certificate has expired
posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25:
subject_CN=mail.thelawrencegroup.com, issuer_CN=VeriSign Class 3 Secure Server
CA, fingerprint=58:83:F8:69:1B:45:53:BA:21:36:19:01:B4:C9:7A:A9:54:62:79:57,
pkey_fingerprint=84:43:0D:55:D9:F8:D3:C5:59:D3:9D:33:42:B3:2E:A4:9B:FE:96:4D
posttls-finger: Untrusted TLS connection established to
mail.thelawrencegroup.com[206.16.127.29]:25: unknown with cipher RC4-MD5
(128/128 bits)
posttls-finger: > EHLO amnesiac.example
posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1]
posttls-finger: < 250-TURN
posttls-finger: < 250-SIZE
posttls-finger: < 250-ETRN
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-DSN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8bitmime
posttls-finger: < 250-BINARYMIME
posttls-finger: < 250-CHUNKING
posttls-finger: < 250-VRFY
posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN
posttls-finger: < 250-X-EXPS=LOGIN
posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN
posttls-finger: < 250-AUTH=LOGIN
posttls-finger: < 250-X-LINK2STATE
posttls-finger: < 250-XEXCH50
posttls-finger: < 250 OK
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 mail.thelawrencegroup.com Service closing
transmission channel
--
Bob Wooldridge
bob...@kc0dxf.net
Blog: http://kc0dxf.net/blog/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org