Re: New server using old server config, alert unknown ca error
On Sat, Dec 28, 2013 at 11:57:23AM -0500, Charles Marcus wrote: I use PostfixAdmin, and its vacation.pl script for managing vacation messages, and it is the sending of the vacation message that fails with the subject error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca The the Postfix SMTP server received a fatal unknown CA alert from the SMTP client. Therefore, if your server's certificate chain is correctly configured, the problem is with the SMTP client. I basically copied everything over from the old/working server, tweaking only for the new hostname, and I've triple checked that the /etc/ssl CA dir and certs dirs are there with correct perms, etc. If you old Postfix version was sufficiently ancient, the completeness of the server's certificate chain might have relied on: http://www.postfix.org/postconf.5.html#tls_append_default_CA you should not set this to yes long-term. Rather test whether this makes a difference. If it does, add any missing CA certificates to smtpd_tls_cert_file. See Creating the server certificate file under: http://www.postfix.org/TLS_README.html#server_cert_key I also did try temporarily changing the localhost alias and $myhostname to the same as the old server, with the same result/error. The problem is with the trust chain, not peername verification, re-arranging the deck chairs on the Titanic does not fix the hull design. 2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: connect from newhost.example.com[127.0.0.1] 2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: SSL_accept error from newhost.example.com[127.0.0.1]: 0 2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: warning: TLS library problem: 10620:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1256:SSL alert number 48: 2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: lost connection after STARTTLS from newhost.example.com[127.0.0.1] 2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: disconnect from newhost.example.com[127.0.0.1] What is the client program that connects to the SMTP server? Postfix configuration is largely irrelevant, you have a problem with the SMTP *client*, which is not Postfix. The *client* does not trust the server's CA and sends a fatal SSL alert message. -- Viktor.
Re: New server using old server config, alert unknown ca error
On 2013-12-28 12:41 PM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Sat, Dec 28, 2013 at 11:57:23AM -0500, Charles Marcus wrote: I use PostfixAdmin, and its vacation.pl script for managing vacation messages, and it is the sending of the vacation message that fails with the subject error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca The the Postfix SMTP server received a fatal unknown CA alert from the SMTP client. Therefore, if your server's certificate chain is correctly configured, the problem is with the SMTP client. Well, dang... thanks Victor, as usual you are dead on target. This jiggled something in my memory from some time ago... vacation.pl is, obviously, a perl script, so is using perl's Mail::Sender module. A year or more ago, I had a problem after some system updates where updating to perls Mail-Sender v 0.8.22 caused a problem with none other than vacation.pl... A quick check revealed that the new system was using 0.8.22. A quick downgrade to 0.8.21 resolved the problem. Thanks again!
Re: New server using old server config, alert unknown ca error
On Sat, Dec 28, 2013 at 01:10:55PM -0500, Charles Marcus wrote: vacation.pl is, obviously, a perl script, so is using perl's Mail::Sender module. I think vacation.pl should be using sendmail(1) rather than SMTP to inject auto-response messages. The documentation for Mail::Sender v0.8.22 includes: TLS_allowed If set to a true value Mail::Sender attempts to use LTS (SSL encrypted connection) whenever the server supports it and you have IO::Socket::SSL and Net::SSLeay. The default value of ths option is TRUE! This means that if Mail::Server can send the data encrypted, it will. If TLS_allowed insists on authentication, then having it on by default is rather unwise. You may be able to unset this, but better yet, use local submission rather than SMTP for vacation re-injection. -- Viktor.
Re: New server using old server config, alert unknown ca error
On 2013-12-28 1:31 PM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Sat, Dec 28, 2013 at 01:10:55PM -0500, Charles Marcus wrote: vacation.pl is, obviously, a perl script, so is using perl's Mail::Sender module. I think vacation.pl should be using sendmail(1) rather than SMTP to inject auto-response messages. The documentation for Mail::Sender v0.8.22 includes: TLS_allowed If set to a true value Mail::Sender attempts to use LTS (SSL encrypted connection) whenever the server supports it and you have IO::Socket::SSL and Net::SSLeay. The default value of ths option is TRUE! This means that if Mail::Server can send the data encrypted, it will. If TLS_allowed insists on authentication, then having it on by default is rather unwise. You may be able to unset this, but better yet, use local submission rather than SMTP for vacation re-injection. Thanks Victor, but apparently this is actually a bug in Mail::Sender that only revealed itself when they changed the TLS default to true in 0.8.22. https://rt.cpan.org/Public/Bug/Display.html?id=85438 I've temporarily disabled TLS in vacation.pl until it is fixed...
Re: New server using old server config, alert unknown ca error
On Sat, Dec 28, 2013 at 02:49:01PM -0500, Charles Marcus wrote: If TLS_allowed insists on authentication, then having it on by default is rather unwise. You may be able to unset this, but better yet, use local submission rather than SMTP for vacation re-injection. Thanks Victor, but apparently this is actually a bug in Mail::Sender that only revealed itself when they changed the TLS default to true in 0.8.22. https://rt.cpan.org/Public/Bug/Display.html?id=85438 I've temporarily disabled TLS in vacation.pl until it is fixed... Why temporarily? It makes no sense to encrypt when sending to 127.0.0.1. You can't hide your plaintext from the O/S kernel. Since the SMTP server is on port 25 only root can listen there, so there is no reason to authenticate localhost:25 either. -- Viktor.
Re: New server using old server config, alert unknown ca error
On 2013-12-28 3:11 PM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Sat, Dec 28, 2013 at 02:49:01PM -0500, Charles Marcus wrote: If TLS_allowed insists on authentication, then having it on by default is rather unwise. You may be able to unset this, but better yet, use local submission rather than SMTP for vacation re-injection. Thanks Victor, but apparently this is actually a bug in Mail::Sender that only revealed itself when they changed the TLS default to true in 0.8.22. https://rt.cpan.org/Public/Bug/Display.html?id=85438 I've temporarily disabled TLS in vacation.pl until it is fixed... Why temporarily? It makes no sense to encrypt when sending to 127.0.0.1. You can't hide your plaintext from the O/S kernel. Since the SMTP server is on port 25 only root can listen there, so there is no reason to authenticate localhost:25 either. True... hadn't really thought about it. Thx again Victor...
