I am unable to receive mail from my Comcast friends at my Postfix server (postfix-3.2.0-2.6.1 on openSUSE 42.3 with openssl-1.0.2j). As far as I know only Comcast has a problem sending me mail. I have tried asking Comcast for help, but they are useless. I am hoping someone on this list can suggest debugging advice to figure out what the problem might be.
Comcast claims a TLS certificate verify failure. I have checked the TLS connection process with openssl s_client -connect maple.killian.com:25 -starttls smtp and it looks good. I also checked with https://www.checktls.com and got all 100%. The certificate being used was issued by the EFF's cerbot / Let's Encrypt project and passed to postfix with smtpd_tls_key_file and smtpd_tls_cert_file. Here is the Comcast bounce message my friend received (some deletions for privacy): From: mailer-dae...@comcast.net [mailto:mailer-dae...@comcast.net] Sent: Sunday, February 09, 2020 10:59 PM To: [snip] Subject: Temporary Failure This is an automatically generated Delivery Status Notification. Delivery to the following recipients was aborted after 6.5 hour(s): * [snip] Reason: Temporary Failure Reporting-MTA: dns; resqmta-ch2-07v.sys.comcast.net [69.252.207.39] Received-From-MTA: dns; resomta-ch2-16v.sys.comcast.net [69.252.207.112] Arrival-Date: Sun, 09 Feb 2020 21:32:03 +0000 Final-recipient: rfc822; [snip] Diagnostic-Code: smtp; TLS negotiation: certificate verify failed Last-attempt-Date: Mon, 10 Feb 2020 03:59:23 +0000 Here is some of the server log from a different connection attempt (after I set debug_peer_list = 69.252.207.0/24 and debug_peer_level = 2) (deletions of smtpd_client_event_limit_exceptions lines for privacy): Feb 14 08:53:16 maple kernel: FW-ACC-TCP IN=eth0 OUT= MAC=00:30:48:62:9c:18:7c:1c:f1:8e:5a:42:08:00 SRC=69.252.207.44 DST=199.165.155.8 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=45494 DF PROTO=TCP SPT=41255 DPT=25 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40101080A16FC2A350000000001030303) Feb 14 08:53:17 maple postfix/smtpd[14512]: connect from resqmta-ch2-12v.sys.comcast.net[69.252.207.44] Feb 14 08:53:17 maple postfix/smtpd[14512]: smtp_stream_setup: maxtime=300 enable_deadline=0 [snipped] Feb 14 08:53:17 maple postfix/smtpd[14512]: match_list_match: resqmta-ch2-12v.sys.comcast.net: no match Feb 14 08:53:17 maple postfix/smtpd[14512]: match_list_match: 69.252.207.44: no match Feb 14 08:53:17 maple postfix/smtpd[14512]: auto_clnt_open: connected to private/anvil Feb 14 08:53:17 maple postfix/smtpd[14512]: send attr request = connect Feb 14 08:53:17 maple postfix/smtpd[14512]: send attr ident = smtp:69.252.207.44 Feb 14 08:53:17 maple postfix/smtpd[14512]: private/anvil: wanted attribute: status Feb 14 08:53:17 maple postfix/smtpd[14512]: input attribute name: status Feb 14 08:53:17 maple postfix/smtpd[14512]: input attribute value: 0 Feb 14 08:53:17 maple postfix/smtpd[14512]: private/anvil: wanted attribute: count Feb 14 08:53:17 maple postfix/smtpd[14512]: input attribute name: count Feb 14 08:53:17 maple postfix/smtpd[14512]: input attribute value: 1 Feb 14 08:53:17 maple postfix/smtpd[14512]: private/anvil: wanted attribute: rate Feb 14 08:53:17 maple postfix/smtpd[14512]: input attribute name: rate Feb 14 08:53:17 maple postfix/smtpd[14512]: input attribute value: 1 Feb 14 08:53:17 maple postfix/smtpd[14512]: private/anvil: wanted attribute: (list terminator) Feb 14 08:53:17 maple postfix/smtpd[14512]: input attribute name: (end) Feb 14 08:53:17 maple postfix/smtpd[14512]: > resqmta-ch2-12v.sys.comcast.net[69.252.207.44]: 220 maple.killian.com ESMTP By proceeding, you agree to the terms and conditions in http://www.killian.com/spam.html. If you do not agree, quit immediately. In particular, DO NOT send unsolicited commercial email (i.e. spam) to this site. We reserve the right to charge US$5000 per violation. Feb 14 08:53:17 maple postfix/smtpd[14512]: watchdog_pat: 0x555db41d0c10 Feb 14 08:53:17 maple postfix/smtpd[14512]: < resqmta-ch2-12v.sys.comcast.net[69.252.207.44]: EHLO resqmta-ch2-12v.sys.comcast.net Feb 14 08:53:17 maple postfix/smtpd[14512]: match_list_match: resqmta-ch2-12v.sys.comcast.net: no match Feb 14 08:53:17 maple postfix/smtpd[14512]: match_list_match: 69.252.207.44: no match Feb 14 08:53:17 maple postfix/smtpd[14512]: > resqmta-ch2-12v.sys.comcast.net[69.252.207.44]: 250-maple.killian.com Feb 14 08:53:17 maple postfix/smtpd[14512]: > resqmta-ch2-12v.sys.comcast.net[69.252.207.44]: 250-PIPELINING Feb 14 08:53:17 maple postfix/smtpd[14512]: > resqmta-ch2-12v.sys.comcast.net[69.252.207.44]: 250-SIZE 80000000 Feb 14 08:53:17 maple postfix/smtpd[14512]: > resqmta-ch2-12v.sys.comcast.net[69.252.207.44]: 250-ETRN Feb 14 08:53:17 maple postfix/smtpd[14512]: > resqmta-ch2-12v.sys.comcast.net[69.252.207.44]: 250-STARTTLS Feb 14 08:53:17 maple postfix/smtpd[14512]: > resqmta-ch2-12v.sys.comcast.net[69.252.207.44]: 250-ENHANCEDSTATUSCODES Feb 14 08:53:17 maple postfix/smtpd[14512]: > resqmta-ch2-12v.sys.comcast.net[69.252.207.44]: 250-8BITMIME Feb 14 08:53:17 maple postfix/smtpd[14512]: > resqmta-ch2-12v.sys.comcast.net[69.252.207.44]: 250 DSN Feb 14 08:53:17 maple postfix/smtpd[14512]: watchdog_pat: 0x555db41d0c10 Feb 14 08:53:17 maple postfix/smtpd[14512]: < resqmta-ch2-12v.sys.comcast.net[69.252.207.44]: STARTTLS Feb 14 08:53:17 maple postfix/smtpd[14512]: > resqmta-ch2-12v.sys.comcast.net[69.252.207.44]: 220 2.0.0 Ready to start TLS Feb 14 08:53:17 maple postfix/smtpd[14512]: send attr request = seed Feb 14 08:53:17 maple postfix/smtpd[14512]: send attr size = 32 Feb 14 08:53:17 maple postfix/smtpd[14512]: private/tlsmgr: wanted attribute: status Feb 14 08:53:17 maple postfix/smtpd[14512]: input attribute name: status Feb 14 08:53:17 maple postfix/smtpd[14512]: input attribute value: 0 Feb 14 08:53:17 maple postfix/smtpd[14512]: private/tlsmgr: wanted attribute: seed Feb 14 08:53:17 maple postfix/smtpd[14512]: input attribute name: seed Feb 14 08:53:17 maple postfix/smtpd[14512]: input attribute value: UyM2p2Rixq0C0knqtSxx8pfYa5Vm5ijixD9+YOoXGJM= Feb 14 08:53:17 maple postfix/smtpd[14512]: private/tlsmgr: wanted attribute: (list terminator) Feb 14 08:53:17 maple postfix/smtpd[14512]: input attribute name: (end) Feb 14 08:53:17 maple postfix/smtpd[14512]: SSL_accept error from resqmta-ch2-12v.sys.comcast.net[69.252.207.44]: 0 Feb 14 08:53:17 maple postfix/smtpd[14512]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:s3_pkt.c:1487:SSL alert number 42: [snip] Feb 14 08:53:17 maple postfix/smtpd[14512]: match_list_match: resqmta-ch2-12v.sys.comcast.net: no match Feb 14 08:53:17 maple postfix/smtpd[14512]: match_list_match: 69.252.207.44: no match Feb 14 08:53:17 maple postfix/smtpd[14512]: send attr request = disconnect Feb 14 08:53:17 maple postfix/smtpd[14512]: send attr ident = smtp:69.252.207.44 Feb 14 08:53:17 maple postfix/smtpd[14512]: private/anvil: wanted attribute: status Feb 14 08:53:17 maple postfix/smtpd[14512]: input attribute name: status Feb 14 08:53:17 maple postfix/smtpd[14512]: input attribute value: 0 Feb 14 08:53:17 maple postfix/smtpd[14512]: private/anvil: wanted attribute: (list terminator) Feb 14 08:53:17 maple postfix/smtpd[14512]: input attribute name: (end) Feb 14 08:53:17 maple postfix/smtpd[14512]: lost connection after STARTTLS from resqmta-ch2-12v.sys.comcast.net[69.252.207.44] Feb 14 08:53:17 maple postfix/smtpd[14512]: disconnect from resqmta-ch2-12v.sys.comcast.net[69.252.207.44] ehlo=1 starttls=0/1 commands=1/2
