Hi
Thanks for you answers
I continue with the problem and I don't know where I can check more. At
now the situation is
-Sends mails deferred
-In logs appears:
Feb 12 01:20:50 mailserver postfix/smtpd[16653]: warning:
smtpd_tls_security_level: unsupported TLS level "verify", using "encrypt"
Feb 12 01:20:50 mailserver postfix/smtpd[16653]: initializing the
server-side TLS engine
Feb 12 01:20:50 mailserver postfix/tlsmgr[16655]: open smtpd TLS cache
btree:/var/lib/postfix/smtpd_scache
Feb 12 01:20:50 mailserver postfix/tlsmgr[16655]:
tlsmgr_cache_run_event: start TLS smtpd session cache cleanup
Feb 12 01:20:50 mailserver postfix/smtpd[16653]: connect from
unknown[194.183.97.58]
Feb 12 01:20:51 mailserver postfix/smtpd[16653]: setting up TLS
connection from unknown[194.183.97.58]
Feb 12 01:20:51 mailserver postfix/smtpd[16653]: unknown[194.183.97.58]:
TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Feb 12 01:20:51 mailserver postfix/smtpd[16653]:
SSL_accept:before/accept initialization
Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 read
client hello B
Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
server hello A
Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
certificate A
Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
key exchange A
Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
server done A
Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 flush data
Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 read
client key exchange A
Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 read
finished A
Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:unknown state
Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
change cipher spec A
Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
finished A
Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 flush data
Feb 12 01:20:52 mailserver postfix/smtpd[16653]: Anonymous TLS
connection established from unknown[194.183.97.58]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
Feb 12 01:20:52 mailserver dovecot: auth(default): client in:
AUTH^I1^IPLAIN^Iservice=smtp^Inologin^Iresp=AG1hcmNvcy5nb256YWxlekBlc2NpLnVwZi5lZHUAYVYzcnlMMG5nUDRzc3cwcmQ=
Feb 12 01:20:52 mailserver postfix/smtpd[16653]: D88A97A0C9C:
client=unknown[194.183.97.58], sasl_method=PLAIN, sasl_username=usertest
Feb 12 01:20:53 mailserver postfix/smtpd[16653]: disconnect from
unknown[194.183.97.58]
Feb 12 01:20:53 mailserver postfix/smtp[16660]: D88A97A0C9C: Server
certificate not verified
Feb 12 01:20:56 mailserver postfix/smtp[16660]: D88A97A0C9C:
to=<m...@mymail.com>, relay=mysmarthost[130.206.18.4]:25, delay=3.3,
delays=0.48/0.01/2.8/0, dsn=4.7.5, status=deferred (Server certificate
not verified)
And postconf filtered by smtp is:
default_transport = smtp
lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
non_smtpd_milters =
parent_domain_matches_subdomains =
debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps $transport_maps $mynetworks $sender_bcc_maps
$recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
relayhost = myrelay
smtp_always_send_ehlo = yes
smtp_bind_address =
smtp_bind_address6 =
smtp_body_checks =
smtp_cname_overrides_servername = no
smtp_connect_timeout = 30s
smtp_connection_cache_destinations =
smtp_connection_cache_on_demand = yes
smtp_connection_cache_time_limit = 2s
smtp_connection_reuse_time_limit = 300s
smtp_data_done_timeout = 600s
smtp_data_init_timeout = 120s
smtp_data_xfer_timeout = 180s
smtp_defer_if_no_mx_address_found = no
smtp_destination_concurrency_failed_cohort_limit =
$default_destination_concurrency_failed_cohort_limit
smtp_destination_concurrency_limit = $default_destination_concurrency_limit
smtp_destination_concurrency_negative_feedback =
$default_destination_concurrency_negative_feedback
smtp_destination_concurrency_positive_feedback =
$default_destination_concurrency_positive_feedback
smtp_destination_rate_delay = $default_destination_rate_delay
smtp_destination_recipient_limit = $default_destination_recipient_limit
smtp_discard_ehlo_keyword_address_maps =
smtp_discard_ehlo_keywords =
smtp_enforce_tls = no
smtp_fallback_relay = $fallback_relay
smtp_generic_maps =
smtp_header_checks =
smtp_helo_name = $myhostname
smtp_helo_timeout = 300s
smtp_host_lookup = dns
smtp_initial_destination_concurrency = $initial_destination_concurrency
smtp_line_length_limit = 990
smtp_mail_timeout = 300s
smtp_mime_header_checks =
smtp_mx_address_limit = 5
smtp_mx_session_limit = 2
smtp_nested_header_checks =
smtp_never_send_ehlo = no
smtp_pix_workaround_delay_time = 10s
smtp_pix_workaround_maps =
smtp_pix_workaround_threshold_time = 500s
smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
smtp_quit_timeout = 300s
smtp_quote_rfc821_envelope = yes
smtp_randomize_addresses = yes
smtp_rcpt_timeout = 300s
smtp_rset_timeout = 20s
smtp_sasl_auth_cache_name =
smtp_sasl_auth_cache_time = 90d
smtp_sasl_auth_enable = no
smtp_sasl_auth_soft_bounce = yes
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
smtp_sasl_path =
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus
smtp_send_xforward_command = no
smtp_sender_dependent_authentication = no
smtp_skip_5xx_greeting = yes
smtp_skip_quit_response = yes
smtp_starttls_timeout = 300s
smtp_tls_CAfile = /etc/ssl/certs/TERENASSL_PATH.pem.1
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file = /etc/ssl/mydomain.crt
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_fingerprint_cert_match =
smtp_tls_fingerprint_digest = md5
smtp_tls_key_file = /etc/ssl/private/jupiter_mydomain.pem
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_note_starttls_offer = no
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_scert_verifydepth = 9
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level = verify
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname
smtp_use_tls = yes
smtp_xforward_timeout = 300s
smtpd_authorized_verp_clients = $authorized_verp_clients
smtpd_authorized_xclient_hosts =
smtpd_authorized_xforward_hosts =
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_event_limit_exceptions =
${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_client_message_rate_limit = 0
smtpd_client_new_tls_session_rate_limit = 0
smtpd_client_port_logging = no
smtpd_client_recipient_rate_limit = 0
smtpd_client_restrictions =
smtpd_data_restrictions =
smtpd_delay_open_until_valid_rcpt = yes
smtpd_delay_reject = yes
smtpd_discard_ehlo_keyword_address_maps =
smtpd_discard_ehlo_keywords =
smtpd_end_of_data_restrictions =
smtpd_enforce_tls = no
smtpd_error_sleep_time = 1s
smtpd_etrn_restrictions =
smtpd_expansion_filter =
\t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
smtpd_forbidden_commands = CONNECT GET POST
smtpd_hard_error_limit = 20
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_history_flush_threshold = 100
smtpd_junk_command_limit = 100
smtpd_milters =
smtpd_noop_commands =
smtpd_null_access_lookup_key = <>
smtpd_peername_lookup = yes
smtpd_policy_service_max_idle = 300s
smtpd_policy_service_max_ttl = 1000s
smtpd_policy_service_timeout = 100s
smtpd_proxy_ehlo = $myhostname
smtpd_proxy_filter =
smtpd_proxy_timeout = 100s
smtpd_recipient_limit = 1000
smtpd_recipient_overshoot_limit = 1000
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = no
smtpd_restriction_classes =
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = ldap:/etc/postfix/ldap_aliases.cf
smtpd_sender_restrictions =
smtpd_soft_error_limit = 10
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_CAfile = /etc/ssl/certs/TERENASSL_PATH.pem.1
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /etc/ssl/mydomain.crt
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_exclude_ciphers =
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file = /etc/ssl/private/jupiter_mydomain.pem
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = verify
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = yes
If anyone knows what I can do I'll be grateful, is maddening :-(
Best Regards
El 10/02/13 18:59, Viktor Dukhovni escribió:
> On Sun, Feb 10, 2013 at 01:46:59PM +0100, deconya wrote:
>
>> status=deferred (Server certificate not verified)
>>
>> I was looking all the information about it in howots, and seems that the
>> problem is when my server exchanges credentials with smarthost. It seems
>> that not recognizes the CA certificates from destination, and Im with
>> two questions
>>
>> -What file is looking for smtp_tls_CApath=/certs, all? (Im refering the
>> name of file), needs to use a special name? At now for recomedation of
>> you and using howto of postfix I change this to
> Configuring CApath is a lot more complicated than setting up a CAfile.
> When you have exactly one root CA to verify (the one used by the ISP's
> relay) there is little benefit in managing a "herd" (choose your
> favourite collective noun) of certificates via CApath.
>
>> smtp_tls_CApath = /var/spool/postfix/certs
>> smtpd_tls_CApath = /var/spool/postfix/certs
> Instead:
>
> /etc/postfix/main.cf:
> # Empty
> smtpd_tls_CApath =
> smtpd_tls_CAfile =
> smtp_tls_CApath =
>
> # Copy PEM format root CA cert into this file
> smtp_tls_CAfile = ${config_directory}/smtp_CAfile
>
> /etc/postfix/smtp_CAfile:
> -----BEGIN CERTIFICATE-----
> ...
> -----END CERTIFICATE-----
>
> Obtain the root CA certificate for the relay's smtp server in PEM
> format (base64-encoded text between -----BEGIN, -----END line pairs)
> from a trusted source and copy it into the CA file. Verify that
> the file is well-formed by running:
>
> openssl x509 -in /etc/postfix/smtp_CAfile -noout \
> -subject -issuer -dates -sha1 -fingerprint
>
> This must produce no errors and report the DN of the expected root
> CA as both subject and issuer. The certificate must not be expired,
> and typically is valid for 10-20 years. You can usually "google"
> the sha1 fingerprint to find various online copies of the same CA
> certificate.
>
> You can store multiple trusted roots in a single CAfile, just
> concatenate individual files with PEM format trusted root CA certs.
>
