postfix-users May 2014 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: TLS issues (postfix says: UNTRUSTED but it is not

TLS issues (postfix says: UNTRUSTED but it is not)

From: Simon Effenberg <savar_at_nospam>
Date: Tue May 13 2014 - 08:38:52 GMT
To: postfix-users@postfix.org

Hi @list,

I have an issue with my SSL certificate. When I send a mail from another
postfix to the one with the installed certificate it is complaining
about an Untrusted TLS connection. The certificate uses SAN and is
signed. OpenSSL tells me that everything is fine. When I test it through
ssl-tools.net it is also fine. If I install it as an server certificate
within an apache and test it through chrome it is fine as well.

I would like to know if anybody could give me a hint where to search for
the problem.

My config is:

Server A (receiver of the mail):

$ sudo postconf -n | grep smtpd_tls
smtpd_tls_cert_file = /etc/postfix/mail.ev.crt
smtpd_tls_key_file = /etc/postfix/mail.ev.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may

the myhostname contains a name which exists in the SAN list (the CN is
only valid for one of the servers but shouldn't make any difference).

the /etc/postfix/mail.ev.crt contains in this order: server cert,
intermediate cert, root cert (this is a quiet new one)

Server B (sender of the mail):

$ sudo postconf -n |grep smtp_tls_
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

I tested the ca-certificates.crt file by:

$ openssl s_client -showcerts -CAfile
   /var/spool/postfix/etc/ssl/certs/ca-certificates.crt -starttls smtp
   -connect my.mailserver.de:25

the output begins with:

depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
    "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign
    Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
    Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign
    Class 3 Extended Validation SSL CA
verify return:1
depth=0 1.3.X.X.X.X.XXX.60.2.1.3 = US, 1.3.X.X.X.X.XXX.60.2.1.2 =
   Somewhere, businessCategory = Private Organization, serialNumber =
   123456, C = US, postalCode = 12345, ST = New York, L = Hawaii,
   street = 1234 Street, O = "Some Inc.", OU = Some.Unit, CN =
   some_cn_name
verify return:1

and at the end:

SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384
    ...
    Compression: 1 (zlib compression)
    Start Time: 1399970032
    Timeout : 300 (sec)
    Verify return code: 0 (ok)

Any help is much appreciated. Maybe I'm blind and cannot see the easy
error I introduced..

Cheers
Simon