[Postfixbuch-users] TLS Server certificate could not be verified
Christian Anton
mail at christiananton.de
So Jul 30 17:43:18 CEST 2006
Hi folks,
nach langer Abstinenz habe ich mal wieder ein Problem, weswegen ich
doch mal hier posten muss, da ich es einfach nicht kapiere.
Ich habe zwei Maschinen, auf denen Postfix läuft:
1. Meinen Rootserver im Internet, Gentoo Linux mit Postfix 2.2.5, im
folgenden "Server" genannt.
2. Meinen Homeserver/Filer/Multischwein, Debian etch, Postfix 2.2.10-2,
im Folgenden "Client" genannt.
Ich wollte dem Client erlauben, sich anhand seines
TLS-Serverzertifikats am Server zu authentifizieren und somit über
diesen zu relayen.
Das relaying funktioniert nach einigem Lesen der Dokus perfekt,
allerdings kommen im Log des Clients noch Meldungen, dass das
Serverzertifikat des Servers nicht verifiziert werden konnte, was
wohl eher ein kosmetisches denn ein technisches Problem darstellt,
mich aber trotzdem stört.
Ich habe beiden Maschinen Server-Zertifikate von CaCert verpasst. Also
CSR erstellt, auf der CACert Webseite Class3-Zertifikate erstellt, diese
Zertifikate als .crt unter /etc/postfix/tls abgelegt, das class3-
Rootzertifikat heruntergeladen und ebenfalls auf der Platte abgelegt.
Auf beiden Maschinen habe ich das Zertifikat sowohl für den smtpd als
auch für den smtp eingerichtet, guckst Du:
Server:
smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.class3.pem
smtpd_tls_cert_file = /etc/postfix/tls/mail.gentix.de.crt
smtpd_tls_key_file = /etc/postfix/tls/mail.gentix.de.key
smtpd_use_tls = yes
smtp_tls_CAfile = /etc/ssl/certs/cacert.org.class3.pem
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file = /etc/postfix/tls/mail.gentix.de.crt
smtp_tls_key_file = /etc/postfix/tls/mail.gentix.de.key
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_ask_ccert = yes
relay_clientcerts = hash:/etc/postfix/relay_clientcerts
Client:
smtpd_use_tls=yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.class3.pem
smtpd_tls_cert_file=/etc/postfix/tls/home.christiananton.de.crt
smtpd_tls_key_file=/etc/postfix/tls/home.christiananton.de.key
smtpd_tls_session_cache_database =
btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database =
btree:${queue_directory}/smtp_scache
smtp_use_tls=yes
smtp_tls_CAfile = /etc/ssl/certs/cacert.org.class3.pem
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file=/etc/postfix/tls/home.christiananton.de.crt
smtp_tls_key_file=/etc/postfix/tls/home.christiananton.de.key
smtp_tls_scert_verifydepth = 5
smtp_tls_loglevel = 2
smtp_tls_enforce_peername = no
Desweiteren hab ich das class3-Rootzertifikat in openssl neu
eingelesen und konnte dann auf beiden Maschinen jeweils beide
Serverzertifikate "verifien". Scheinbar benutzt Postfix aber nicht
die Systemweit hinterlegten Root-Zertifikate unter /etc/ssl/certs...
Server:
# c_rehash /etc/ssl/certs
# openssl verify /etc/postfix/tls/mail.gentix.de.crt
/etc/postfix/tls/mail.gentix.de.crt: OK
# openssl verify ~chris/home.christiananton.de.crt
/home/chris/home.christiananton.de.crt: OK
Client:
# c_rehash /etc/ssl/certs
# openssl verify /etc/postfix/tls/home.christiananton.de.crt
/etc/postfix/tls/home.christiananton.de.crt: OK
# openssl verify ~chris/mail.gentix.de.crt
/home/chris/mail.gentix.de.crt: OK
Auf Serverseite habe ich natürlich noch den fingerprint des
Serverzertifikats, welches auf der Clientseite benutzt wird,
eingetragen.
Wenn ich jetzt eine Mail vom Client aus sende, sehen die Logs
folgendermaßen aus:
Server:
Jul 30 17:41:04 ipx10995 postfix/smtpd[17973]: connect from
p54970951.dip0.t-ipconnect.de[84.151.9.81]
Jul 30 17:41:04 ipx10995 postfix/anvil[1683]: statistics: max
connection rate 2/60s for (smtp:217.225.235.21) at Jul 30 17:32:38
Jul 30 17:41:04 ipx10995 postfix/anvil[1683]: statistics: max
connection count 1 for (smtp:217.225.235.21) at Jul 30 17:31:38
Jul 30 17:41:04 ipx10995 postfix/anvil[1683]: statistics: max cache
size 3 at Jul 30 17:34:44
Jul 30 17:41:04 ipx10995 postfix/smtpd[17973]: setting up TLS
connection from p54970951.dip0.t-ipconnect.de[84.151.9.81]
Jul 30 17:41:04 ipx10995 postfix/smtpd[17973]:
fingerprint=2D:E2:E6:35:26:07:79:22:58:6C:82:52:A2:A1:57:58
Jul 30 17:41:04 ipx10995 postfix/smtpd[17973]: Verified:
subject_CN=home.christiananton.de, issuer=CAcert Class 3 Root
Jul 30 17:41:04 ipx10995 postfix/smtpd[17973]: TLS connection
established from p54970951.dip0.t-ipconnect.de[84.151.9.81]: TLSv1
with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jul 30 17:41:04 ipx10995 postfix/smtpd[17973]: EE935C0A9:
client=p54970951.dip0.t-ipconnect.de[84.151.9.81]
Jul 30 17:41:05 ipx10995 postfix/cleanup[19268]: EE935C0A9:
message-id=<20060730154106.BBF5046DD at servfibbs.fibbs.local>
Jul 30 17:41:05 ipx10995 postfix/smtpd[17973]: disconnect from
p54970951.dip0.t-ipconnect.de[84.151.9.81]
Jul 30 17:41:05 ipx10995 postfix/qmgr[11845]: EE935C0A9:
from=<mail at christiananton.de>, size=686, nrcpt=1 (queue active)
Jul 30 17:41:05 ipx10995 amavis[18061]: (18061-02) ESMTP::10024
/var/amavis/tmp/amavis-20060730T173951-18061:
<mail at christiananton.de> -> <mail.christiananton.de at gentix.de>
Received: SIZE=686 from mail.gentix.de ([127.0.0.1]) by localhost
(mail.gentix.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id
18061-02 for <mail.christiananton.de at gentix.de>; Sun, 30 Jul 2006
17:41:05 +0200 (CEST)
Jul 30 17:41:05 ipx10995 amavis[18061]: (18061-02) Checking:
VHG9foaYXs3E [84.151.9.81] <mail at christiananton.de> ->
<mail.christiananton.de at gentix.de>
Jul 30 17:41:05 ipx10995 postfix/smtpd[19277]: connect from
localhost[127.0.0.1]
Jul 30 17:41:05 ipx10995 postfix/smtpd[19277]: 75EC6C890:
client=localhost[127.0.0.1]
Jul 30 17:41:05 ipx10995 postfix/cleanup[19268]: 75EC6C890:
message-id=<20060730154106.BBF5046DD at servfibbs.fibbs.local>
Jul 30 17:41:05 ipx10995 postfix/qmgr[11845]: 75EC6C890:
from=<mail at christiananton.de>, size=1138, nrcpt=1 (queue active)
Jul 30 17:41:05 ipx10995 postfix/smtpd[19277]: disconnect from
localhost[127.0.0.1]Jul 30 17:41:05 ipx10995 amavis[18061]:
(18061-02) FWD via SMTP: <mail at christiananton.de> ->
<mail.christiananton.de at gentix.de>, 250 2.6.0 Ok, id=18061-02, from
MTA([127.0.0.1]:10025): 250 Ok: queued as 75EC6C890
Jul 30 17:41:05 ipx10995 amavis[18061]: (18061-02) Passed CLEAN,
[84.151.9.81] [84.151.9.81] <mail at christiananton.de> ->
<mail.christiananton.de at gentix.de>, Message-ID:
<20060730154106.BBF5046DD at servfibbs.fibbs.local>, mail_id:
VHG9foaYXs3E, Hits: 1.897, 524 ms
Jul 30 17:41:05 ipx10995 amavis[18061]: (18061-02) Passed CLEAN,
<mail at christiananton.de> -> <mail.christiananton.de at gentix.de>,
Hits: 1.897, tag=3, tag2=6, kill=6, L/0/0/0
Jul 30 17:41:05 ipx10995 postfix/smtp[19272]: EE935C0A9:
to=<mail.christiananton.de at gentix.de>,
orig_to=<mail at christiananton.de>, relay=127.0.0.1[127.0.0.1],
delay=1, status=sent (250 2.6.0 Ok, id=18061-02, from
MTA([127.0.0.1]:10025): 250 Ok: queued as 75EC6C890)
Jul 30 17:41:05 ipx10995 postfix/qmgr[11845]: EE935C0A9: removed
Jul 30 17:41:05 ipx10995 postfix/lmtp[19280]: 75EC6C890:
to=<mail.christiananton.de at gentix.de>,
relay=/var/imap/socket/lmtp[/var/imap/socket/lmtp], delay=0,
status=sent (250 2.1.5 Ok)
Jul 30 17:41:05 ipx10995 postfix/qmgr[11845]: 75EC6C890: removed
Client:
Jul 30 17:41:06 servfibbs postfix/pickup[27519]: BBF5046DD: uid=1005
from=<chris>
Jul 30 17:41:06 servfibbs postfix/cleanup[27747]: BBF5046DD:
message-id=<20060730154106.BBF5046DD at servfibbs.fibbs.local>
Jul 30 17:41:06 servfibbs postfix/qmgr[23420]: BBF5046DD:
from=<mail at christiananton.de>, size=332, nrcpt=1 (queue active)
Jul 30 17:41:06 servfibbs postfix/smtp[27749]: initializing the
client-side TLS engine
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: setting up TLS
connection to mail.gentix.de
Jul 30 17:41:07 servfibbs postfix/smtp[27749]:
SSL_connect:before/connect initializationJul 30 17:41:07 servfibbs
postfix/smtp[27749]: SSL_connect:SSLv2/v3 write client hello AJul 30
17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:error in
SSLv2/v3 read server hello A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:error in
SSLv3 read server hello A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:error in
SSLv3 read server hello A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:SSLv3
read server hello A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:error in
SSLv3 read server certificate A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:error in
SSLv3 read server certificate A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:error in
SSLv3 read server certificate A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:error in
SSLv3 read server certificate A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: certificate
verification depth=2 subject=/O=Root
CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support at cacert.org
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: certificate
verification failed for mail.gentix.de: num=19:self signed
certificate in certificate chain
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: verify return: 0
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: certificate
verification depth=2 subject=/O=Root
CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support at cacert.org
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: verify return: 1
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: certificate
verification depth=1 subject=/O=CAcert
Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: verify return: 1
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: certificate
verification depth=0 subject=/CN=mail.gentix.de
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: verify return: 1
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:SSLv3
read server certificate A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:error in
SSLv3 read server key exchange A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:error in
SSLv3 read server key exchange A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:SSLv3
read server key exchange A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:error in
SSLv3 read server certificate request A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:error in
SSLv3 read server certificate request A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:SSLv3
read server certificate request A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:SSLv3
read server done A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:SSLv3
write client certificate A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:SSLv3
write client key exchange A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:SSLv3
write certificate verify A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:SSLv3
write change cipher spec A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:SSLv3
write finished A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:SSLv3
flush data
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:error in
SSLv3 read finished A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:error in
SSLv3 read finished A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:error in
SSLv3 read finished A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:error in
SSLv3 read finished A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: SSL_connect:SSLv3
read finished A
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: Unverified:
subject_CN=mail.gentix.de, issuer=CAcert Class 3 Root
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: TLS connection
established to mail.gentix.de: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: Server certificate
could not be verified
Jul 30 17:41:07 servfibbs postfix/smtp[27749]: BBF5046DD:
to=<mail at christiananton.de>, relay=mail.gentix.de[80.190.241.119],
delay=1, status=sent (250 Ok: queued as EE935C0A9)
Jul 30 17:41:07 servfibbs postfix/qmgr[23420]: BBF5046DD: removed
Wie man sieht, funktioniert das Senden und authen wunderbar, aber
der Client kann das Serverzertifikat des Servers nicht verifizieren,
und ich wüsste gern, woran das liegt und wie ich den Fehler
analysieren kann.
Vielen Dank im Voraus!
Christian Anton
Mehr Informationen über die Mailingliste Postfixbuch-users