On 12.03.2023 09:55, jeremy ardley wrote:
Back on topic I have solved getting letsencrypt certificates accepted
by postfix , but not certificates generated by Debian SMTP CA
Received: from edge.bronzemail.com
(2403-5800-c000-1b7-f3d4-d970-ca28-bf4f.ip6.aussiebb.net
[IPv6:2403:5800:c000:1b7:f3d4:d970:ca28:bf4f])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "edge.bronzemail.com", Issuer "R3" (verified OK))
by mail.bronzemail.com (Postfix) with ESMTPS id B38C6860225
for <jer...@ardley.org>; Sun, 12 Mar 2023 12:50:55 +0800 (AWST)
Authentication-Results: mail.bronzemail.com;
dkim=pass (2048-bit key; unprotected) header.d=ardley.org
header.i=@ardley.org header.a=rsa-sha256 header.s=default
header.b=OfZ0VNf6;
dkim-atps=neutral
Received: from bendel.debian.org (bendel.debian.org [82.195.75.100])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "clientcerts/bendel.debian.org", Issuer "Debian SMTP
CA" (not verified))
by edge.bronzemail.com (Postfix) with ESMTPS id 691864037F
for <jer...@ardley.org>; Sun, 12 Mar 2023 12:50:53 +0800 (AWST)
It says "Issuer "Debian SMTP CA" (not verified)" because your client
(mail server) doesn't have any means to verify certificate of this
Certificate Authority.
"Debian SMTP CA" is self-hosted Certificate Authority. That means it is
first of the chain, so it doesn't have any globally trusted CAs above it
that could verify its legitimacy.
To make your client to trust it, you have to install its public
certificate into trusted CA storage ( to "/etc/ssl/certs/" or where your
client was configured to look for trusted CA certs ).
You can obtain CA certificate with "openssl" utility:
$ openssl s_client -tls1_3 -showcerts -starttls smtp -connect
bendel.debian.org:25
First certificate, identified by "-----BEGIN CERTIFICATE-----" line, is
always server's certificate, last is CA certificate. You can save it to
external file, so its contents would look like this:
$ cat bendel.debian.org.issuer.crt
-----BEGIN CERTIFICATE-----
MIIE4jCCA8qgAwIBAgIJAKMp9hZf6dHhMA0GCSqGSIb3DQEBCwUAMIGmMQswCQYD
...
ogSbTuTG
-----END CERTIFICATE-----
You can additionally check this certificate for consistency:
$ openssl x509 -text -in ./bendel.debian.org.issuer.crt | grep -iE
"issuer:|subject:|ca:true"
Now you can verify server's certificate using this CA certificate:
With it:
$ openssl s_client -tls1_3 -CAfile bendel.debian.org.issuer.crt
-starttls smtp -connect bendel.debian.org:25 2>&1 | grep "Verification"
Verification: OK
Without it:
$ openssl s_client -tls1_3 -CAfile /etc/ssl/certs/ca-certificates.crt
-starttls smtp -connect bendel.debian.org:25 2>&1 | grep "Verification"
Verification error: self signed certificate in certificate chain
Final step is to include "bendel.debian.org.issuer.crt" into
configuration of your mail server, by installing it to "/etc/ssl/certs/"
or by pointing directly to it.
Now I wonder why "bendel.debian.org" admins decided not to use free
Let's Encrypt certificate and decided to use their own self-hosted CA..
--
With kindest regards, Alexander.
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀⠀⠀⠀
