> On Jun 18, 2024, at 12:38 AM, Viktor Dukhovni via Postfix-users > <postfix-users@postfix.org> wrote: > > On Mon, Jun 17, 2024 at 11:39:27PM -0500, Paul Schmehl via Postfix-users > wrote: > >> That might have uncovered a problem. >> >> # posttls-finger -w -lsecure -C "www.stovebolt.com:465" “www.stovebolt.com" >> >> posttls-finger: Connected to www.stovebolt.com[108.174.193.28]:465 >> posttls-finger: SSL_connect error to www.stovebolt.com[108.174.193.28]:465: >> -1 >> posttls-finger: warning: TLS library problem: error:1408F10B:SSL >> routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332: > > Your port 465 "smtps" service is misconfigured, it is missing the > "-o smtpd_tls_wrapper_mode=yes" option. For example: > > 465 inet n - n - - smtpd > -o smtpd_tls_wrappermode=yes > -o smtpd_milters= > -o syslog_name=postfix/smtps > -o smtpd_sasl_auth_enable=yes > -o {smtpd_client_restrictions=reject_rbl_client > zen.spamhaus.org=127.0.0.4} > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject > -o smtpd_recipient_restrictions= > -o smtpd_data_restrictions= > -o smtpd_end_of_data_restrictions= > -o milter_macro_daemon_name=ORIGINATING > -o smtpd_milters=$mua_milters > -o always_add_missing_headers=yes > OK. wrappermode was commented out. I uncommented it, restarted the daemon, and ran finger again.
# posttls-finger -w -lsecure -C "mail.stovebolt.com:465" "www.stovebolt.com" posttls-finger: Connected to mail.stovebolt.com[108.174.193.29]:465 posttls-finger: server certificate verification failed for mail.stovebolt.com[108.174.193.29]:465: num=62:Hostname mismatch posttls-finger: mail.stovebolt.com[108.174.193.29]:465: subject_CN=mail.stovebolt.com, issuer=R10, cert fingerprint=B6:E5:61:8F:1D:B3:98:54:36:CF:09:A1:04:96:E4:14:21:8C:59:91:AB:C5:60:27:34:E5:61:66:68:1E:83:D5, pkey fingerprint=26:05:FB:BB:A6:40:3D:66:16:B3:85:3A:23:9F:97:42:7E:BA:E2:BA:FF:DB:DA:67:B2:87:9B:16:A7:83:3D:0D posttls-finger: Untrusted TLS connection established to mail.stovebolt.com[108.174.193.29]:465: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 posttls-finger: < 220 mail.stovebolt.com ESMTP Postfix posttls-finger: > EHLO mail.stovebolt.com posttls-finger: < 250-mail.stovebolt.com posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 900000000 posttls-finger: < 250-VRFY posttls-finger: < 250-ETRN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250-SMTPUTF8 posttls-finger: < 250 CHUNKING --- Certificate chain (I deleted all the cert stuff) posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye This looks like it’s working correctly now, right? Paul Schmehl paul.schm...@gmail.com
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org