On Thu, Feb 03, 2022 at 08:24:07AM -0500, Martin Hicks wrote:
There is an smtp server that is trying to send e-mail to my
domain, but with an expired certificate:
Feb 2 11:20:52 darwin postfix/smtpd[9181]: warning: TLS library problem:
error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate
expired:../ssl/record/rec_layer_s3.c:1544:SSL alert number 45:
It retries from various other hosts as well, r116.mail..., r117, r121,
etc. but all have the same problem.
On 03.02.22 14:45, Bastian Blank wrote:
I'm mixed up between two problems:
- the remote hosts tells you that _your_ certificate is expired, or
it might be this:
% openssl s_client -connect darwin.bork.org:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = darwin.bork.org
verify return:1
---
Certificate chain
0 s:CN = darwin.bork.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
the third certificate is expired, but the second one is already trusted by
root CA, so the third should not be evaluated.
looks like Let's Encrypt still provides this certificate, and that many
clients check for the third one even if it should be skipped after verifying
the second one.
I have Let's Encrypt certificates on multiple mail servers but I have not
encountered such issue yet
- hard to say if this is aircanada problem or it happens with other clients.
- you are requesting client certificated on a public MX.
this would be a problem.
Both are problems on your side. As you forget to provide all
the information, we can't verify any of that for you.
Is there a way to configure postfix to accept a TLS connection, despite
the expired certificate? I looked at smtp_tls_policy, but is that only
for outbound smtp configuration?
AFAIK Postfix does not care about expired certificates, if it is not
supposed to validate them. But your remote might not be so kind.
I tried getting more info about the certificate, but even with
smtpd_tls_loglevel=2
I don't actually get a copy of the certificate printed in the logs. I'm
also not able to query the certificate from these servers using `openssl
s_client`.
Because those are connections _to_ you, so those servers would not
listen to connections at all. And TLS alerts are the other side is
trying to tell you something.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
