Re: Postfix + TLS. Почему не пускает?
Mikolaj Golub wrote:
Может забыли postmap на /etc/postfix/relay_clientcerts сделать? Или прописать
туда нужный ключ... команда
postmap -q ключ hash:/etc/postfix/relay_clientcerts
обрабатывается нормально?
Тут дело даже не в этом.
Где-то что-то я упустил в другом месте, ибо, если делать на сервере
root@sandbox:/home/peter# openssl s_client -starttls smtp -CApath /etc/postfix/certs/ -connect localhost:25
CONNECTED(00000003)
depth=1 /C=RU/ST=Some-State/O=Management Company ICB/OU=Certification
Authority/CN=sandbox.mcbfa.local/emailAddress=postmaster@sandbox.mcbfa.local
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=RU/ST=Some-State/O=Management Company ICB/OU=Postfix MTA/CN=sandbox.mcbfa.local/emailAddress=postmaster@sandbox.mcbfa.local
i:/C=RU/ST=Some-State/O=Management Company ICB/OU=Certification
Authority/CN=sandbox.mcbfa.local/emailAddress=postmaster@sandbox.mcbfa.local
1 s:/C=RU/ST=Some-State/O=Management Company ICB/OU=Certification
Authority/CN=sandbox.mcbfa.local/emailAddress=postmaster@sandbox.mcbfa.local
i:/C=RU/ST=Some-State/O=Management Company ICB/OU=Certification
Authority/CN=sandbox.mcbfa.local/emailAddress=postmaster@sandbox.mcbfa.local
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDSzCCArSgAwIBAgIBBjANBgkqhkiG9w0BAQUFADCBsjELMAkGA1UEBhMCUlUx
EzARBgNVBAgTClNvbWUtU3RhdGUxHzAdBgNVBAoTFk1hbmFnZW1lbnQgQ29tcGFu
eSBJQ0IxIDAeBgNVBAsTF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5MRwwGgYDVQQD
ExNzYW5kYm94Lm1jYmZhLmxvY2FsMS0wKwYJKoZIhvcNAQkBFh5wb3N0bWFzdGVy
QHNhbmRib3gubWNiZmEubG9jYWwwHhcNMDYxMjIxMTczMDI3WhcNMDcxMjIxMTcz
MDI3WjCBpjELMAkGA1UEBhMCUlUxEzARBgNVBAgTClNvbWUtU3RhdGUxHzAdBgNV
BAoTFk1hbmFnZW1lbnQgQ29tcGFueSBJQ0IxFDASBgNVBAsTC1Bvc3RmaXggTVRB
MRwwGgYDVQQDExNzYW5kYm94Lm1jYmZhLmxvY2FsMS0wKwYJKoZIhvcNAQkBFh5w
b3N0bWFzdGVyQHNhbmRib3gubWNiZmEubG9jYWwwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAPorvdAmsr6mIn/ZtUL/wAH9Vx8HMJTjz2ETUPDXwjWPJMoli+/Z
t1I21nq3ObQ7uqvF1qwjQzlYwm6IvB1tmWf2YUc0ZBzApoNCjXv8E+a6TLTzk6Zj
BPil8mDnaB7pvWDQWDL6Qm/Ra+w/hThQwsggnTmwPNCjWDeUnva4o9/lAgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBRw6STUIkVPu7A2WcNMYANh0RYKmzAfBgNV
HSMEGDAWgBQm+0se+eYGY2zqxrIVi6+6f+oSnTANBgkqhkiG9w0BAQUFAAOBgQDQ
GY3cweMD7lai845MHJaMUswaBmVXv8cByZV1VMHzivl/PgLtU9v5XtbNvn7YwKrg
C0cRfIzCxRLBUC797fJpO7WDAx0/Dlm/0zC+0nIq7lm3Zs67M9yvzL/79HYPuatf
6LuO5jFQotEALrHu2LbVuVzQQK8BtotgPzclnRB5+Q==
-----END CERTIFICATE-----
subject=/C=RU/ST=Some-State/O=Management Company ICB/OU=Postfix MTA/CN=sandbox.mcbfa.local/emailAddress=postmaster@sandbox.mcbfa.local
issuer=/C=RU/ST=Some-State/O=Management Company ICB/OU=Certification
Authority/CN=sandbox.mcbfa.local/emailAddress=postmaster@sandbox.mcbfa.local
---
Acceptable client certificate CA names
/C=RU/ST=Some-State/O=Management Company ICB/OU=Certification
Authority/CN=sandbox.mcbfa.local/emailAddress=postmaster@sandbox.mcbfa.local
---
SSL handshake has read 2550 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 7F1F31B880DDBD91FD0B943981AE3FC08379445DB68C734E8525E8F230EB7EB8
Session-ID-ctx:
Master-Key: 07F86A6119000078BFAFE1FB747888224124718F4B6DF80761E40E4745E1495B691FCA836488347177FFD6DB810FC5AB
Key-Arg : None
Start Time: 1170849720
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
220 sandbox.mcbfa.local ESMTP Postfix (Debian/GNU)
ehlo localhost
250-sandbox.mcbfa.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH DIGEST-MD5
250-AUTH=DIGEST-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: peter@sandbox.mcbfa.local
250 2.1.0 Ok
rcpt to: peter@xxxx.ru
554 5.7.1 <peter@xxxxx.ru>: Relay access denied
quit
221 2.0.0 Bye
read:errno=0
Т.е. наглядно видно, что TLS проходит нормально.
--
Peter Teslenko
Reply to: