Hi
On Thu, Feb 03, 2022 at 08:24:07AM -0500, Martin Hicks wrote:
> There is an smtp server that is trying to send e-mail to my
> domain, but with an expired certificate:
> Feb 2 11:20:52 darwin postfix/smtpd[9181]: warning: TLS library problem:
> error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate
> expired:../ssl/record/rec_layer_s3.c:1544:SSL alert number 45:
> It retries from various other hosts as well, r116.mail..., r117, r121,
> etc. but all have the same problem.
I'm mixed up between two problems:
- the remote hosts tells you that _your_ certificate is expired, or
- you are requesting client certificated on a public MX.
Both are problems on your side. As you forget to provide all
the information, we can't verify any of that for you.
> Is there a way to configure postfix to accept a TLS connection, despite
> the expired certificate? I looked at smtp_tls_policy, but is that only
> for outbound smtp configuration?
AFAIK Postfix does not care about expired certificates, if it is not
supposed to validate them. But your remote might not be so kind.
> I tried getting more info about the certificate, but even with
> smtpd_tls_loglevel=2
> I don't actually get a copy of the certificate printed in the logs. I'm
> also not able to query the certificate from these servers using `openssl
> s_client`.
Because those are connections _to_ you, so those servers would not
listen to connections at all. And TLS alerts are the other side is
trying to tell you something.
Bastian
--
No one can guarantee the actions of another.
-- Spock, "Day of the Dove", stardate unknown
