i am not following this in any detail, but if you look at the certificate you included in your original email it expired in 2008. just look at it with
openssl -text -in <some file> sorry if i'm jumping into something i've misunderstood, andrew On Fri, Dec 27, 2013 at 01:47:47PM -0600, Bobber wrote: > > On 12/27/2013 01:29 PM, Viktor Dukhovni wrote: > >On Fri, Dec 27, 2013 at 12:59:11PM -0600, Bobber wrote: > > > >>I recently upgraded my companies' mail server to 64 Debian Wheezy. I > >>am using the Openssl package which is version 1.0.1e-2. > >> > >>I am having problems when trying to send a message to one of our > >>business partners. The SMTP session appears to shut down and it > >>appears that my server is rejecting their certificate. > >> > >>Here is the openssl command I am giving to diagnose the problem and > >>it's output. Can anyone suggest a solution? It appears to me that > >>I may be lacking an intermediary certificate. How do I fix this if > >>this is the case? > >> > >>>openssl s_client -CApath /etc/ssl/certs/ -crlf -starttls smtp > >>>-connect mail.thelawrencegroup.com:25 > >The posttls-finger(1) utility, included with Postfix 2.11 snapshot > >source code, does a much better job of mail server TLS diagnostics. > >Their certificate is expired. Your MTA really ought to log the > >error reason. Consider a better MTA! :-) > I don't see anywhere that it says expired other than this utility. > How can I verify that it is really expired? These guys do business > with lots of other people but have not noticed anything except with > us. The openssl error code 20 indicates an improper intermediate CA > from what I can find. Also using this site indicates no problem: > http://www.checktls.com/testreceiver.html > > Is there another way to verify the expiration? > > > > $ posttls-finger "[mail.thelawrencegroup.com]" > > posttls-finger: Connected to mail.thelawrencegroup.com[206.16.127.29]:25 > > posttls-finger: < 220 mail.thelawrencegroup.com Microsoft ESMTP MAIL > > Service, Version: 6.0.3790.4675 ready at Fri, 27 Dec 2013 13:13:52 -0600 > > posttls-finger: > EHLO amnesiac.example > > posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1] > > posttls-finger: < 250-TURN > > posttls-finger: < 250-SIZE > > posttls-finger: < 250-ETRN > > posttls-finger: < 250-PIPELINING > > posttls-finger: < 250-DSN > > posttls-finger: < 250-ENHANCEDSTATUSCODES > > posttls-finger: < 250-8bitmime > > posttls-finger: < 250-BINARYMIME > > posttls-finger: < 250-CHUNKING > > posttls-finger: < 250-VRFY > > posttls-finger: < 250-TLS > > posttls-finger: < 250-STARTTLS > > posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN > > posttls-finger: < 250-X-EXPS=LOGIN > > posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN > > posttls-finger: < 250-AUTH=LOGIN > > posttls-finger: < 250-X-LINK2STATE > > posttls-finger: < 250-XEXCH50 > > posttls-finger: < 250 OK > > posttls-finger: > STARTTLS > > posttls-finger: < 220 2.0.0 SMTP server ready > > posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25 Matched > > CommonName mail.thelawrencegroup.com > > posttls-finger: server certificate verification failed for > > mail.thelawrencegroup.com[206.16.127.29]:25: certificate has expired > > posttls-finger: mail.thelawrencegroup.com[206.16.127.29]:25: > > subject_CN=mail.thelawrencegroup.com, issuer_CN=VeriSign Class 3 Secure > > Server CA, > > fingerprint=58:83:F8:69:1B:45:53:BA:21:36:19:01:B4:C9:7A:A9:54:62:79:57, > > pkey_fingerprint=84:43:0D:55:D9:F8:D3:C5:59:D3:9D:33:42:B3:2E:A4:9B:FE:96:4D > > posttls-finger: Untrusted TLS connection established to > > mail.thelawrencegroup.com[206.16.127.29]:25: unknown with cipher RC4-MD5 > > (128/128 bits) > > posttls-finger: > EHLO amnesiac.example > > posttls-finger: < 250-mail.thelawrencegroup.com Hello [192.0.2.1] > > posttls-finger: < 250-TURN > > posttls-finger: < 250-SIZE > > posttls-finger: < 250-ETRN > > posttls-finger: < 250-PIPELINING > > posttls-finger: < 250-DSN > > posttls-finger: < 250-ENHANCEDSTATUSCODES > > posttls-finger: < 250-8bitmime > > posttls-finger: < 250-BINARYMIME > > posttls-finger: < 250-CHUNKING > > posttls-finger: < 250-VRFY > > posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN > > posttls-finger: < 250-X-EXPS=LOGIN > > posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN > > posttls-finger: < 250-AUTH=LOGIN > > posttls-finger: < 250-X-LINK2STATE > > posttls-finger: < 250-XEXCH50 > > posttls-finger: < 250 OK > > posttls-finger: > QUIT > > posttls-finger: < 221 2.0.0 mail.thelawrencegroup.com Service closing > > transmission channel > > > > -- > > Bob Wooldridge > bob...@kc0dxf.net > Blog: http://kc0dxf.net/blog/ > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
