TLS Problem - Delayed Inbound Mail - Tried To Resolve

Report bugs and workarounds
Post Reply
skoppes
Posts: 33
Joined: 26 Aug 2015 19:29

TLS Problem - Delayed Inbound Mail - Tried To Resolve

Post by skoppes »

Hello all!

Since 3.0.0.9 enabled TLS for Postfix, we've been having all sorts of intermittent issues with incoming email. It turns out the EFA doesn't like our in-house CA security certificates, causing intermittent delays on inbound messages.

This can be diagnosed by:

Code: Select all

openssl s_client -starttls smtp -connect mail.ip.here:25
We were getting the following errors mixed in with the log:
verify error:num=20:unable to get local issuer certificate
Verify return code: 21 (unable to verify the first certificate)

The short-short version: It looked like we had to install our CA certificate on the EFA box

To do this, I performed the following high-level steps:

Add option to /etc/postfix/main.cf: smtpd_tls_CApath = /etc/postfix/ssl/certs
Create the directory
Export our CER to a Base-64 encoded X.509 CER file (as Windows calls it)
Open this file in a text editor - the contents should start and end with the following two lines:

Code: Select all

-----BEGIN CERTIFICATE-----
This is the certificate data
-----END CERTIFICATE-----
Copy the entirety of the certificate text data to an appropriately named file in this new directory on EFA
Rehash the certificates in this directory


The following is the main set of steps I took, with SUDO as needed:

Code: Select all

(edited)/etc/postfix/main.cf
(added)smtpd_tls_CApath = /etc/postfix/ssl/certs

mkdir /etc/postfix/ssl/certs

(edited) /etc/postfix/ssl/certs/my-ca-cert.pem
*Paste the data / Save the file

/usr/sbin/cacertdir_rehash /etc/postfix/ssl/certs/

I first restarted postfix, and later rebooted EFA, but am still having the same exact issue.

Per /var/log/maillog:

Code: Select all

efa postfix/smtp[XXXX]: XXXXXXXXXXX: to=<user@mydomain.edu>, relay=mail.ip.here[mail.ip.here]:25, delay=25, delays=25/0/0.02/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)
Testing with the first works, but the second does not:

Code: Select all

openssl s_client -CApath /etc/postfix/ssl/certs/ -starttls smtp -connect mail.ip.here:25
openssl s_client -starttls smtp -connect mail.ip.here:25

What did I miss? Any suggestions?
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: TLS Problem - Delayed Inbound Mail - Tried To Resolve

Post by shawniverson »

http://www.postfix.org/TLS_README.html

Have you tried turning up the TLS logging level?
skoppes
Posts: 33
Joined: 26 Aug 2015 19:29

Re: TLS Problem - Delayed Inbound Mail - Tried To Resolve

Post by skoppes »

I think I found the problem, server is unfortunately using RC4 Cipher. There is not an easy fix to this. We have a near-term project in the works to get that server retired anyhow.

I wanted to share some of my experiences.

Attempted to create work-around, per the following:
http://www.postfix.org/TLS_README.html# ... tls_policy

Using any of the domain name, the host-name, or the IP address did not work when attempting to create an exception. I ended up having to completely disable TLS for the time being. Also unfortunately.

Just wanted to give you a heads up!
Post Reply