Re: TLS Issues. certificate unknown: SSL alert number 46:

Mon, 10 Oct 2011 11:03:05 -0700 

On Fri, Oct 07, 2011 at 05:15:20PM -0400, Simon Brereton wrote:

> postfix/smtpd[25614]: warning: TLS library problem: 25614:error:14094416:SSL 
> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1102:SSL 
> alert number 46:

This client could not verify your server certificate, its SSL stack
sent an "alert" to that effect.

> I have absolutely no idea if my server is using TLS if it's offered for 
> outgoing mail.
> 
> In main.cf I have smtpd_use_tls = yes but the documentation tells
> me this is obseleted (I'm running 2.7.1) and to use
> smtpd_tls_security_level = may instead - however, vim tells me that
> the former is a valid configurable (it's highlighted) whilst the
> latter is not.  That's part of my confusion.

The authors of vim are not Postfix experts.

> mail:~# postconf -n | grep -i TLS
> smtp_tls_note_starttls_offer = yes
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

With no other settings for the SMTP client, outgoing TLS is disabled
on your machine. You need "smtp_tls_security_level = may".

> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
> smtpd_tls_auth_only = no
> smtpd_tls_key_file = /etc/ssl/private/mail..net.key
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s

Fine.

> smtpd_tls_CAfile = /etc/ssl/keys/ca.crt
> smtpd_tls_cert_file = /etc/ssl/keys/mail..net.crt

Not needed, you neither ask for nor verify client certs.

> smtpd_tls_loglevel = 2

Too noisy. No more than 1, unless you're debugging a TLS interoperability
problem

> smtpd_use_tls = yes

Use "smtpd_tls_security_level = may"

> tls_random_source = dev:/dev/urandom

This should be the default.

> How can I be sure my server is using TLS for hosts that offer it?

See above.

> And how can I be sure those errors in the logs are the connecting host and 
> not mine?

Reduce the loglevel to 1, then ignore most TLS warnings that don't
correlate with non-delivery of mail. Sadly, it is not practical for
everyone to learn SSL deeply enough to understand all the warnings.

-- 
        Viktor.

Reply via email to