> On Thu, Aug 03, 2017 at 12:19:55PM +0530, hyndavirap...@bel.co.in wrote: > >> > He's not posted the configuration of the sending system or >> > its logs. This is a waste of everyone's time. > > The relevant logging is the TLS-related logging from the sending > postfix/smtp client process that happens *before* the message is > finally deferred and is enabled via smtp_tls_loglevel=1. > >> smtp_enforce_tls = yes > > Instead, "smtp_tls_security_level = encrypt". > >> smtp_tls_loglevel = 1 >> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy > > Post the relevant tls policy table entry. > >> smtp_use_tls = yes > > This is unnecessary. > >> transport_maps = hash:/etc/postfix/transportmap >> >> Aug 3 12:11:54 AHQ postfix/smtp[8325]: 4B68168543FC: >> to=<cdr.1cor...@1corphq.tcs.mil.in>, orig_to=<cdr.1cor...@tcs.mil.in>, >> relay=201.123.1.4[201.123.1.4]:25, delay=34, delays=34/0/0/0, dsn=4.7.5, >> status=deferred (Server certificate not verified) > > The server certificate failed to verify. Perhaps expired, perhaps > not issued by the CA you've configured, or a missing intermediate > certificate, or the certificate is not suitable for TLS (maybe it > has some other extended key usage), or ... > >> Can you help me to solve this problem > > Not without the requested logging, and copy of the server and CA > certificates. > > -- > Viktor. >
hi Viktor, TLS logging is as below, Aug 4 11:52:29 AHQ postfix/smtp[11652]: initializing the client-side TLS engine Aug 4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL" Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:before/connect initialization Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv2/v3 write client hello A Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server hello A Aug 4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25: certificate verification depth=1 verify=1 subject=/C=IN/ST=KARNATAKA/L=BANGALORE/O=BEL/OU=CRL/CN=CA/emailAddress=ca_ad...@bel.co.in Aug 4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25: certificate verification depth=0 verify=1 subject=/C=IN/ST=KARNATAKA/L=BANGALORE/O=BEL/OU=CRL/CN=1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server certificate A Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server key exchange A Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server done A Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 write client key exchange A Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 write change cipher spec A Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 write finished A Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 flush data Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server session ticket A Aug 4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read finished A Aug 4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25 CommonName 1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in Aug 4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25: subject_CN=1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in, issuer_CN=CA/emailAddress=ca_ad...@bel.co.in, fingerprint=99:EE:C4:42:4B:89:4F:1D:4C:93:18:48:7B:EA:90:9D, pkey_fingerprint=5D:0D:58:AF:8B:A8:2C:D5:5F:9F:D2:DB:29:89:57:BD Aug 4 11:52:29 AHQ postfix/smtp[11652]: Trusted TLS connection established to 201.123.1.4[201.123.1.4]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Aug 4 11:52:29 AHQ postfix/smtp[11652]: 249ED60E5225: to=<cdr.1cor...@1corphq.tcs.mil.in>, orig_to=<cdr.1cor...@tcs.mil.in>, relay=201.123.1.4[201.123.1.4]:25, delay=0.05, delays=0.04/0.01/0.01/0, dsn=4.7.5, status=deferred (Server certificate not verified) tls_policy entry is given below [201.123.1.4]:25 secure match=1CorpHQ I have checked server certificate against ca cert using openssl command. it is fine [root@AHQ certs]# openssl verify -verbose -CAfile cacert.pem 1corphq_smtp_ad...@tcs.mil.in.pem 1corphq_smtp_ad...@tcs.mil.in.pem: OK and the same ca certificate is existing in ca-bundle.crt I'm attaching 1CorpHQ server certificate details with the mail -- Thanks & Regards Hyndavi rapuru Member( Research Staff) Central Research Laboratory Bharat Electronics Ltd Jalahalli Bangalore- 560 013 Int Ph No: 134 Off Ph No: 080-28381125 Off Fax No: 28381168 कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न लें जब तक सचमुच ज़रूरत न हो !!!! Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve Trees. Don't print this email or any Files unless you really need to!!!! Confidentiality Notice/गोपनीय सूचना इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक केवल प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त जानकारी शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नहीं हैं, तो कृपया तुरंत भारत इलेक्ट्रॉनिक्स के प्रेषक को बताएँ या supp...@bel.co.in पर मेल द्वारा सूचित करें और इस संदेश की सभी प्रतियाँ और उसके साथ लगे संलग्नकों को नष्ट कर दें । The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Bharat Electronics or supp...@bel.co.in immediately and destroy all copies of this message and any attachments.
certificate
Description: Binary data
