TLS Problem - Delayed Inbound Mail - Tried To Resolve
Posted: 31 Mar 2016 18:49
Hello all!
Since 3.0.0.9 enabled TLS for Postfix, we've been having all sorts of intermittent issues with incoming email. It turns out the EFA doesn't like our in-house CA security certificates, causing intermittent delays on inbound messages.
This can be diagnosed by:
We were getting the following errors mixed in with the log:
verify error:num=20:unable to get local issuer certificate
Verify return code: 21 (unable to verify the first certificate)
The short-short version: It looked like we had to install our CA certificate on the EFA box
To do this, I performed the following high-level steps:
Add option to /etc/postfix/main.cf: smtpd_tls_CApath = /etc/postfix/ssl/certs
Create the directory
Export our CER to a Base-64 encoded X.509 CER file (as Windows calls it)
Open this file in a text editor - the contents should start and end with the following two lines:
Copy the entirety of the certificate text data to an appropriately named file in this new directory on EFA
Rehash the certificates in this directory
The following is the main set of steps I took, with SUDO as needed:
I first restarted postfix, and later rebooted EFA, but am still having the same exact issue.
Per /var/log/maillog:
Testing with the first works, but the second does not:
What did I miss? Any suggestions?
Since 3.0.0.9 enabled TLS for Postfix, we've been having all sorts of intermittent issues with incoming email. It turns out the EFA doesn't like our in-house CA security certificates, causing intermittent delays on inbound messages.
This can be diagnosed by:
Code: Select all
openssl s_client -starttls smtp -connect mail.ip.here:25verify error:num=20:unable to get local issuer certificate
Verify return code: 21 (unable to verify the first certificate)
The short-short version: It looked like we had to install our CA certificate on the EFA box
To do this, I performed the following high-level steps:
Add option to /etc/postfix/main.cf: smtpd_tls_CApath = /etc/postfix/ssl/certs
Create the directory
Export our CER to a Base-64 encoded X.509 CER file (as Windows calls it)
Open this file in a text editor - the contents should start and end with the following two lines:
Code: Select all
-----BEGIN CERTIFICATE-----
This is the certificate data
-----END CERTIFICATE-----Rehash the certificates in this directory
The following is the main set of steps I took, with SUDO as needed:
Code: Select all
(edited)/etc/postfix/main.cf
(added)smtpd_tls_CApath = /etc/postfix/ssl/certs
mkdir /etc/postfix/ssl/certs
(edited) /etc/postfix/ssl/certs/my-ca-cert.pem
*Paste the data / Save the file
/usr/sbin/cacertdir_rehash /etc/postfix/ssl/certs/I first restarted postfix, and later rebooted EFA, but am still having the same exact issue.
Per /var/log/maillog:
Code: Select all
efa postfix/smtp[XXXX]: XXXXXXXXXXX: to=<user@mydomain.edu>, relay=mail.ip.here[mail.ip.here]:25, delay=25, delays=25/0/0.02/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)Code: Select all
openssl s_client -CApath /etc/postfix/ssl/certs/ -starttls smtp -connect mail.ip.here:25
openssl s_client -starttls smtp -connect mail.ip.here:25What did I miss? Any suggestions?