SSL/TLS and certificates

To: current-users%netbsd.org@localhost
Subject: SSL/TLS and certificates
From: Tom Ivar Helbekkmo <tih%hamartun.priv.no@localhost>
Date: Thu, 25 May 2017 20:04:52 +0200

Slightly off-topic for current-users, I guess, but I'm running -current,
so...

With Linux systems at work, I don't have any problems configuring
Postfix to use TLS policy "secure" for specific destinations.  When I
try to do it the same way using NetBSD, however, I get stuff like this:

May 25 11:08:47 barsoom postfix/smtp[12473]: certificate verification failed for mail-tester.com[94.23.206.89]:25: untrusted issuer /O=Digital Signature Trust Co./CN=DST Root CA X3
May 25 11:08:47 barsoom postfix/smtp[12473]: mail-tester.com[94.23.206.89]:25: subject_CN=mail-tester.com, issuer_CN=Let's Encrypt Authority X3, fingerprint=97:BE:16:8E:52:B5:15:C2:F8:37:71:13:2F:13:E5:68, pkey_fingerprint=4B:65:01:EA:48:EA:BC:7A:A3:E7:EC:AD:95:E3:D6:1E
May 25 11:08:47 barsoom postfix/smtp[12473]: Untrusted TLS connection established to mail-tester.com[94.23.206.89]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 25 11:08:47 barsoom postfix/smtp[12473]: C9DC91C715C: to=<web-vv5g0%mail-tester.com@localhost>, relay=mail-tester.com[94.23.206.89]:25, delay=1.2, delays=0.42/0.04/0.72/0, dsn=4.7.5, status=deferred (Server certificate not trusted)

...and this:

May 25 11:58:20 barsoom postfix/smtp[9665]: certificate verification failed for bin-p-esa02.osl.basefarm.net[81.93.166.23]:25: untrusted issuer /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
May 25 11:58:20 barsoom postfix/smtp[9665]: bin-p-esa02.osl.basefarm.net[81.93.166.23]:25: subject_CN=smtp.basefarm.com, issuer_CN=DigiCert SHA2 High Assurance Server CA, fingerprint=C4:13:CC:D2:6E:BA:C2:05:10:18:46:13:79:B9:CD:AC, pkey_fingerprint=DF:C6:FB:FA:0B:08:D1:58:A6:5A:1F:6A:2C:F5:D1:D6
May 25 11:58:20 barsoom postfix/smtp[9665]: Untrusted TLS connection established to bin-p-esa02.osl.basefarm.net[81.93.166.23]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 25 11:58:20 barsoom postfix/smtp[9665]: ABD121C715A: to=<tih%basefarm.com@localhost>, relay=bin-p-esa02.osl.basefarm.net[81.93.166.23]:25, delay=67816, delays=67815/0.09/0.36/0, dsn=4.7.5, status=deferred (Server certificate not trusted)

This is after installing packages mozilla-rootcerts and
mozilla-rootcerts-openssl, and configuring Postfix with
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Pointing http://www.checktls.com/ at the recipient domains results in a
perfect health check; the certificates they present are fine.

So - am I doing something wrong, or is there something with our Postfix
in NetBSD-current that causes this to fail?

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay

Follow-Ups:
- Re: SSL/TLS and certificates
  - From: Tom Ivar Helbekkmo

Prev by Date: Re: emty ftp://nyftp.netbsd.org/pub/NetBSD-daily/HEAD/201705211800Z/source/sets/
Next by Date: daily CVS update output
Previous by Thread: emty ftp://nyftp.netbsd.org/pub/NetBSD-daily/HEAD/201705211800Z/source/sets/
Next by Thread: Re: SSL/TLS and certificates
Indexes:

Home | Main Index | Thread Index | Old Index