Since 3.0.0.9 enabled TLS for Postfix, we've been having all sorts of intermittent issues with incoming email. It turns out the EFA doesn't like our in-house CA security certificates, causing intermittent delays on inbound messages.
This can be diagnosed by:
Code: Select all
openssl s_client -starttls smtp -connect mail.ip.here:25
verify error:num=20:unable to get local issuer certificate
Verify return code: 21 (unable to verify the first certificate)
The short-short version: It looked like we had to install our CA certificate on the EFA box
To do this, I performed the following high-level steps:
Add option to /etc/postfix/main.cf: smtpd_tls_CApath = /etc/postfix/ssl/certs
Create the directory
Export our CER to a Base-64 encoded X.509 CER file (as Windows calls it)
Open this file in a text editor - the contents should start and end with the following two lines:
Code: Select all
-----BEGIN CERTIFICATE-----
This is the certificate data
-----END CERTIFICATE-----
Rehash the certificates in this directory
The following is the main set of steps I took, with SUDO as needed:
Code: Select all
(edited)/etc/postfix/main.cf
(added)smtpd_tls_CApath = /etc/postfix/ssl/certs
mkdir /etc/postfix/ssl/certs
(edited) /etc/postfix/ssl/certs/my-ca-cert.pem
*Paste the data / Save the file
/usr/sbin/cacertdir_rehash /etc/postfix/ssl/certs/
I first restarted postfix, and later rebooted EFA, but am still having the same exact issue.
Per /var/log/maillog:
Code: Select all
efa postfix/smtp[XXXX]: XXXXXXXXXXX: to=<user@mydomain.edu>, relay=mail.ip.here[mail.ip.here]:25, delay=25, delays=25/0/0.02/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)
Code: Select all
openssl s_client -CApath /etc/postfix/ssl/certs/ -starttls smtp -connect mail.ip.here:25
openssl s_client -starttls smtp -connect mail.ip.here:25
What did I miss? Any suggestions?