Salut,
Dupa ce am tot cautat si incercat tot felul de solutii pentru eroarea de mai
jos si am ajuns in acelai punct, m-am gandit sa apelez din nou la cunostintele
unor linux-isti mai priceputi,RLUG.
Am un postfix ce serverste ca mail gateway pentru Exchange (subiect dezbatut
mai demult aici), nu reusesc sa ii fac TLS-ul sa functioneze cu un self signed
certificate.
/etc/postfix/main.cf:
# TLS parameters
smtpd_tls_CAfile = /etc/pki/tls/certs/CA-mail.xxxx.ro.crt
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.xxxx.ro.crt
smtpd_tls_key_file = /etc/pki/tls/certs/mail.xxxxxx.ro.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_CAfile = /etc/pki/tls/certs/CA-mail.xxxx.ro.crt
smtp_tls_cert_file = /etc/pki/tls/certs/mail.xxxxx.ro.crt
smtp_tls_key_file = /etc/pki/tls/certs/mail.xxxx.ro.key
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 1
tls_random_source = dev:/dev/urandom
# TLS end
openssl s_client -connect mail.xxxx.ro:25 -starttls smtp
CONNECTED(00000003)
depth=0 /C=RO/ST=Bucuresti/L=Bucuresti/O=XXXXXX SA/OU=XXXXXX
SA/CN=mail.xxxxx.ro/emailAddress=catalin.vasile...@xxxxx.ro
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=RO/ST=Bucuresti/L=Bucuresti/O=XXXXXXXX SA/OU=XXXXXXX
SA/CN=mail.XXXXXX.ro/emailAddress=catalin.vasile...@xxxxx.ro
verify return:1
---
Certificate chain
0 s:/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxxx SA/OU=xxxxxx
SA/CN=mail.xxxxxxxx.ro/emailAddress=catalin.vasile...@xxxxxx.ro
i:/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxxxxSA/OU=xxxxxxx
SA/CN=mail.xxxxxxx.ro/emailAddress=catalin.vasile...@xxxxxx.ro
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDzDCCArQCAQEwDQYJKoZIhvcNAQEFBQAwgasxCzAJBgNVBAYTAlJPMRIwEAYD
VQQIEwlCdWN1cmVzdGkxEjAQBgNVBAcTCUJ1Y3VyZXN0aTEUMBIGA1UEChMLR3Jv
dXBhbWEgU0ExFDASBgNVBAsTC0dyb3VwYW1hIFNBMRowGAYDVQQDExFtYWlsMi5n
cm91cGFtYS5ybzEsMCoGCSqGSIb3DQEJARYdY2F0YWxpbi52YXNpbGVzY3VAZ3Jv
dXBhbWEucm8wHhcNMTMxMjA1MDczMjE0WhcNMTQxMjA1MDczMjE0WjCBqzELMAkG
A1UEBhMCUk8xEjAQBgNVBAgTCUJ1Y3VyZXN0aTESMBAGA1UEBxMJQnVjdXJlc3Rp
MRQwEgYDVQQKEwtHcm91cGFtYSBTQTEUMBIGA1UECxMLR3JvdXBhbWEgU0ExGjAY
BgNVBAMTEW1haWwyLmxxxxxxxxxxxxxtestxxxxxxxxxxxxxxkiG9w0BAQUFAAOCAQEA
iNqH+zGcmOmdMRmbvUltcAkxHGGqy6xovCLL+LpDFrGc43xA4dLRPMX0aKYIMUjK8C
HQWTo7+hIjpZayud5JNQ1WWXjZ9Xe0OBNMwE+9dVLm5S1hJNIw3L0G+BbOiJGyli
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxasadfxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
/N215N+fl9VMXrpieblypUpwmq8mk7bSuFayPHXkb4jS2hh/2qFHG70g48TSkCJK
KYYQ5o/S0NvoUJdCgEHO2bN3UoI1NCgupAMq3+xZmGuOarm0qN0Rxtp/tD23+IgS
Nnpq6Ibp/Gq1VNM+Y90zL+TM9Nyfu0SNE+q7fIhN+Y6ip3dmlm92aKDkuiGYcX56
ZSBR8WkE7uIaysKLdZ74Gg==
-----END CERTIFICATE-----
subject=/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxx SA/OU=xxxxxxxxxxxx
SA/CN=mail.xxxxxx.ro/emailAddress=catalin.vasile...@xxxxxxx.ro
issuer=/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxxx SA/OU=xxxxx
SA/CN=mail.xxxxx.ro/emailAddress=catalin.vasile...@xxx.ro
---
Acceptable client certificate CA names
/C=RO/ST=Bucuresti/L=Bucuresti/O=xxxxxxxx xxxxxxxx
SA/OU=xxxxxxxxxxxx/CN=mail.xxxxxxxx.ro/emailAddress=catalin.vasile...@xxxxxxx.ro
---
SSL handshake has read 2076 bytes and written 366 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 5956AC85B99C5858D845A2206D16FC5D797D7EEB5925E0F089EE580B9598C31F
Session-ID-ctx:
Master-Key:
A5B4D9EA48B10874AF18DFC5531A6B3514B3845B40D51AE913A2B0D721493EEEC99DE85494996B133BFA4886E934F386
Key-Arg : None
Krb5 Principal: None
Start Time: 1386247413
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
250 DSN
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.xxxxx.ro ESMTP Postfix
EHLO xxxxxxxxx.ro
250-mail.xxxxx.ro
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS
-----------------------------------------------------------
Catalin Vasilescu
_______________________________________________
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug
