SSL Zertifikat für Postfix und Dovecot

benediktibk · Nov 17, 2015

Hallo liebes Habo,
lange nicht mehr hier gewesen. Jetzt habe ich aber mal wieder ein Problem mit dem ich mich gerne an euch wende.

Ich versuche gerade meinen Mailserver auf ein offizielles Zertifikat umzustellen, weg vom self-signed. Mit dem self-signed funktioniert alles (Port 25 und 587 mit STARTSSL, 465 mit SSL direkt, 143 mit STARTSSL und 993 mit SSL direkt). Sobald ich aber die richtigen Zertifikate einspiele geht nichts mehr. Mit den selben Zertifikaten läuft aber der nginx einwandfrei.

smtpd_tls_CAfile = /etc/ssl/certs/domain.pem
smtpd_tls_cert_file = /etc/ssl/certs/domain.crt
smtpd_tls_key_file = /etc/ssl/private/domain.key

ssl_ca = </etc/ssl/certs/domain.pem
ssl_cert = </etc/ssl/certs/domain.crt
ssl_key = </etc/ssl/private/domain.key

ssl_certificate /etc/ssl/certs/domain.crt;
ssl_certificate_key /etc/ssl/private/domain.key;

Verbindungsversuche mit Thunderbird (465 und 993):

Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: initializing the server-side TLS engine
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: connect from unknown[192.168.42.26]
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: setting up TLS connection from unknown[192.168.42.26]
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: unknown[192.168.42.26]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4

STRENGTH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CDC3-SHA:!KRB5-DE5:!CBC3-SHA"
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: SSL_accept:before/accept initialization
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: SSL_accept:unknown state
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: SSL_accept:unknown state
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: SSL_accept:unknown state
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: SSL_accept:unknown state
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: SSL_accept:unknown state
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: SSL_accept:unknown state
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: SSL_accept:unknown state
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: SSL_accept:unknown state
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: unknown[192.168.42.26]: Issuing session ticket, key expiration: 1447792325
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: SSL_accept:unknown state
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: SSL_accept:unknown state
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: SSL_accept:unknown state
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: SSL_accept:unknown state
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: Anonymous TLS connection established from unknown[192.168.42.26]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Nov 17 21:02:06 benediktibk postfix/smtpd[21619]: lost connection after CONNECT from unknown[192.168.42.26]

Nov 17 21:04:14 auth: Debug: auth client connected (pid=21925)
Nov 17 21:04:14 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.42.26, lip=192.168.42.126, TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=<kCusB8IkZQDAqCoa>

Interessanterweise sieht die Sache aber anders aus, wenn ich mich mit openssl verbinde:

C:\Program Files (x86)\GnuWin32\bin>openssl.exe s_client -connect benediktibk.no-ip.biz:993
Loading 'screen' into random state - done
CONNECTED(000001C0)
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=benediktibk.no-ip.biz
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFZDCCBEygAwIBAgIRANPZxl92czlAiTJiMvgwg4UwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTUxMTA5MDAwMDAwWhcNMTgxMTA4MjM1OTU5WjBZMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNVBAsTC1Bvc2l0aXZlU1NMMR4w
HAYDVQQDExViZW5lZGlrdGliay5uby1pcC5iaXowggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCe+RAqEqp9YT/a21S1v5ndpQO+mlkX5+6NYuxgg8SG4+C1
I/6ujxpRIO53i+ZM53cd0hwBiG7vIH94rCSSAaCLAAUmlmq8rE9hGJ/7wVt4ul9H
Breffh6+WCk1WrCJkwFYGsSsHnabyxldgBItIZRjKGKZc/C8gOdWPfJhhT9xmCpe
XjA83BIyGBPdTVfrpkDBW5W5ZO4Vxbwv/Fdeg2gfWGFRcACDy06NefrWKOhEXAlS
exJabYPZC7tMil9R9zDphqbiwDnedj7TxVYEyu3lywczS0FzqkHSptdzIvoL9I5m
uVQABDKTYDWz6THmVnWNJLcrJfhXeIW10zM/iHH5AgMBAAGjggHtMIIB6TAfBgNV
HSMEGDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUDrbIYJR5dQi0
VL5iBRiFbdcstDgwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQEC
AgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMw
CAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2Eu
Y29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmww
gYUGCCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9j
YS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
dDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMDsGA1UdEQQ0
MDKCFWJlbmVkaWt0aWJrLm5vLWlwLmJpeoIZd3d3LmJlbmVkaWt0aWJrLm5vLWlw
LmJpejANBgkqhkiG9w0BAQsFAAOCAQEAYFYMWOAq+RdFoBQbQoSv8+7kAonYKaW2
Tfp9h3IP6bIktA3/jQBp+o/WCB5JjftbKOUUjlURnbSSn4yB9w0B4P4YtXN43EF3
U8Mtw0rA39DaTwO0UrU2Yv4TU1gcb+Po0j/bWw2BgsoqcBywfkZa1DpTb6mEhRTN
giY2aK0M36aBEQ1Kiv05oqSyum9Ltb+FkKdiKIi+o6Jrnrv7TSoL8SNEWVfx9SQ0
33gSr0FDDGpTChp4rhFqFpOnq7KGAMTZldKq7bN6VqbBBcHRk7vdbJrthOpCFawX
bHgvbF9mdMf1UKYViwNgj/wTfX4cRwrPkU+pJwDvRJKdP2zIa521+Q==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=benediktibk.no-ip.biz
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6371 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES128-SHA
Session-ID: 630E987F24875400E10000F733426523346439DC2669445F4C2578600E523698
Session-ID-ctx:
Master-Key: 18EFA93D7A9F3EBE6E4D9A3C966BA3010AA9E7772B6FB3CC04F38842357EAF195D35566C09AEFB9102BE90D95065ED1A
Key-Arg : None
Start Time: 1447790739
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

C:\Program Files (x86)\GnuWin32\bin>openssl.exe s_client -connect benediktibk.no-ip.biz:465
Loading 'screen' into random state - done
CONNECTED(000001D4)
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=benediktibk.no-ip.biz
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFZDCCBEygAwIBAgIRANPZxl92czlAiTJiMvgwg4UwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTUxMTA5MDAwMDAwWhcNMTgxMTA4MjM1OTU5WjBZMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNVBAsTC1Bvc2l0aXZlU1NMMR4w
HAYDVQQDExViZW5lZGlrdGliay5uby1pcC5iaXowggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCe+RAqEqp9YT/a21S1v5ndpQO+mlkX5+6NYuxgg8SG4+C1
I/6ujxpRIO53i+ZM53cd0hwBiG7vIH94rCSSAaCLAAUmlmq8rE9hGJ/7wVt4ul9H
Breffh6+WCk1WrCJkwFYGsSsHnabyxldgBItIZRjKGKZc/C8gOdWPfJhhT9xmCpe
XjA83BIyGBPdTVfrpkDBW5W5ZO4Vxbwv/Fdeg2gfWGFRcACDy06NefrWKOhEXAlS
exJabYPZC7tMil9R9zDphqbiwDnedj7TxVYEyu3lywczS0FzqkHSptdzIvoL9I5m
uVQABDKTYDWz6THmVnWNJLcrJfhXeIW10zM/iHH5AgMBAAGjggHtMIIB6TAfBgNV
HSMEGDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUDrbIYJR5dQi0
VL5iBRiFbdcstDgwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQEC
AgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMw
CAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2Eu
Y29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmww
gYUGCCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9j
YS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
dDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMDsGA1UdEQQ0
MDKCFWJlbmVkaWt0aWJrLm5vLWlwLmJpeoIZd3d3LmJlbmVkaWt0aWJrLm5vLWlw
LmJpejANBgkqhkiG9w0BAQsFAAOCAQEAYFYMWOAq+RdFoBQbQoSv8+7kAonYKaW2
Tfp9h3IP6bIktA3/jQBp+o/WCB5JjftbKOUUjlURnbSSn4yB9w0B4P4YtXN43EF3
U8Mtw0rA39DaTwO0UrU2Yv4TU1gcb+Po0j/bWw2BgsoqcBywfkZa1DpTb6mEhRTN
giY2aK0M36aBEQ1Kiv05oqSyum9Ltb+FkKdiKIi+o6Jrnrv7TSoL8SNEWVfx9SQ0
33gSr0FDDGpTChp4rhFqFpOnq7KGAMTZldKq7bN6VqbBBcHRk7vdbJrthOpCFawX
bHgvbF9mdMf1UKYViwNgj/wTfX4cRwrPkU+pJwDvRJKdP2zIa521+Q==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=benediktibk.no-ip.biz
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6371 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2CD86A991CFE5160014CD2B6B2BEA0A85A1948747A1F8FB13ABA5E9C7D5166D5
Session-ID-ctx:
Master-Key: 298567A15052CBA9C633C32B9AA6176F579BF9E969BA0F685B0757124C90450E35E5B2C8CF73B149739D652B53FD5010
Key-Arg : None
Start Time: 1447790839
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
220 benediktibk.no-ip.biz ESMTP Postfix (Raspbian)

So aus dem Bauch heraus vermute ich, dass es was mit dem Verify return code: 19 zu tun hat.

Weiß jemand was ich da falsch mache?

lg benediktibk

bitmuncher · Nov 17, 2015

Postfix benötigt die komplette Zertifikatskette im Cert-File. Sonst führt das meiner Erfahrung nach zu Problemen. Gleiches gilt für Dovecot. Packe daher mal alle Zertifikate inklusive des Keys in eine PEM-Datei und gib diese sowohl als ssl_cert als auch als ssl_key in der Config an.

benediktibk · Nov 17, 2015

Wenn ich das so angebe

Code:

-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
+AZxAeKCINT+b72x
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD
VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw
AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6
2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr
ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt
4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq
m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/
vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT
8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE
IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO
KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO
GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/
s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD
AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9
MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy
bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6
Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ
zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj
Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY
Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5
B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx
PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR
pu/xO28QOG8=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIFZDCCBEygAwIBAgIRANPZxl92czlAiTJiMvgwg4UwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTUxMTA5MDAwMDAwWhcNMTgxMTA4MjM1OTU5WjBZMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNVBAsTC1Bvc2l0aXZlU1NMMR4w
HAYDVQQDExViZW5lZGlrdGliay5uby1pcC5iaXowggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCe+RAqEqp9YT/a21S1v5ndpQO+mlkX5+6NYuxgg8SG4+C1
I/6ujxpRIO53i+ZM53cd0hwBiG7vIH94rCSSAaCLAAUmlmq8rE9hGJ/7wVt4ul9H
Breffh6+WCk1WrCJkwFYGsSsHnabyxldgBItIZRjKGKZc/C8gOdWPfJhhT9xmCpe
XjA83BIyGBPdTVfrpkDBW5W5ZO4Vxbwv/Fdeg2gfWGFRcACDy06NefrWKOhEXAlS
exJabYPZC7tMil9R9zDphqbiwDnedj7TxVYEyu3lywczS0FzqkHSptdzIvoL9I5m
uVQABDKTYDWz6THmVnWNJLcrJfhXeIW10zM/iHH5AgMBAAGjggHtMIIB6TAfBgNV
HSMEGDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUDrbIYJR5dQi0
VL5iBRiFbdcstDgwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQEC
AgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMw
CAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2Eu
Y29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmww
gYUGCCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9j
YS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
dDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMDsGA1UdEQQ0
MDKCFWJlbmVkaWt0aWJrLm5vLWlwLmJpeoIZd3d3LmJlbmVkaWt0aWJrLm5vLWlw
LmJpejANBgkqhkiG9w0BAQsFAAOCAQEAYFYMWOAq+RdFoBQbQoSv8+7kAonYKaW2
Tfp9h3IP6bIktA3/jQBp+o/WCB5JjftbKOUUjlURnbSSn4yB9w0B4P4YtXN43EF3
U8Mtw0rA39DaTwO0UrU2Yv4TU1gcb+Po0j/bWw2BgsoqcBywfkZa1DpTb6mEhRTN
giY2aK0M36aBEQ1Kiv05oqSyum9Ltb+FkKdiKIi+o6Jrnrv7TSoL8SNEWVfx9SQ0
33gSr0FDDGpTChp4rhFqFpOnq7KGAMTZldKq7bN6VqbBBcHRk7vdbJrthOpCFawX
bHgvbF9mdMf1UKYViwNgj/wTfX4cRwrPkU+pJwDvRJKdP2zIa521+Q==
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
.....
-----END RSA PRIVATE KEY-----

bekomme ich folgende Meldung

Code:

Nov 17 22:44:58 benediktibk postfix/smtpd[2312]: warning: cannot get RSA private key from file /etc/ssl/private/benediktibk.no-ip.biz.pem: disabling TLS support
Nov 17 22:44:58 benediktibk postfix/smtpd[2312]: warning: TLS library problem: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:330:

Ebenso wenn ich den Key aus dem pem wieder raus nehme und in einem eigenen File ablege. Wenn ich dann wieder nur das public Zertifikat (ohne chain) und den key angebe ist das Resultat dieser hier:

Code:

C:\Program Files (x86)\GnuWin32\bin>openssl s_client -connect benediktibk.no-ip.biz:465
Loading 'screen' into random state - done
CONNECTED(000001D4)
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=benediktibk.no-ip.biz
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=benediktibk.no-ip.biz
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=benediktibk.no-ip.biz
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=benediktibk.no-ip.biz
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFZDCCBEygAwIBAgIRANPZxl92czlAiTJiMvgwg4UwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTUxMTA5MDAwMDAwWhcNMTgxMTA4MjM1OTU5WjBZMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNVBAsTC1Bvc2l0aXZlU1NMMR4w
HAYDVQQDExViZW5lZGlrdGliay5uby1pcC5iaXowggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCe+RAqEqp9YT/a21S1v5ndpQO+mlkX5+6NYuxgg8SG4+C1
I/6ujxpRIO53i+ZM53cd0hwBiG7vIH94rCSSAaCLAAUmlmq8rE9hGJ/7wVt4ul9H
Breffh6+WCk1WrCJkwFYGsSsHnabyxldgBItIZRjKGKZc/C8gOdWPfJhhT9xmCpe
XjA83BIyGBPdTVfrpkDBW5W5ZO4Vxbwv/Fdeg2gfWGFRcACDy06NefrWKOhEXAlS
exJabYPZC7tMil9R9zDphqbiwDnedj7TxVYEyu3lywczS0FzqkHSptdzIvoL9I5m
uVQABDKTYDWz6THmVnWNJLcrJfhXeIW10zM/iHH5AgMBAAGjggHtMIIB6TAfBgNV
HSMEGDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUDrbIYJR5dQi0
VL5iBRiFbdcstDgwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQEC
AgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMw
CAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2Eu
Y29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmww
gYUGCCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9j
YS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
dDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMDsGA1UdEQQ0
MDKCFWJlbmVkaWt0aWJrLm5vLWlwLmJpeoIZd3d3LmJlbmVkaWt0aWJrLm5vLWlw
LmJpejANBgkqhkiG9w0BAQsFAAOCAQEAYFYMWOAq+RdFoBQbQoSv8+7kAonYKaW2
Tfp9h3IP6bIktA3/jQBp+o/WCB5JjftbKOUUjlURnbSSn4yB9w0B4P4YtXN43EF3
U8Mtw0rA39DaTwO0UrU2Yv4TU1gcb+Po0j/bWw2BgsoqcBywfkZa1DpTb6mEhRTN
giY2aK0M36aBEQ1Kiv05oqSyum9Ltb+FkKdiKIi+o6Jrnrv7TSoL8SNEWVfx9SQ0
33gSr0FDDGpTChp4rhFqFpOnq7KGAMTZldKq7bN6VqbBBcHRk7vdbJrthOpCFawX
bHgvbF9mdMf1UKYViwNgj/wTfX4cRwrPkU+pJwDvRJKdP2zIa521+Q==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=benediktibk.no-ip.biz
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2332 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 0C69BB3572D0272D4B88CF272DDBA0358E503EA5295DA0A73667807B7F88B2FE
    Session-ID-ctx:
    Master-Key: 31B258C56AF5A562108D7E485AA3D528467ECA50964D7A2F044D5132A852DF0E655CBACF9FEE9E81F24A1BCBAD630E83
    Key-Arg   : None
    Start Time: 1447797229
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
220 benediktibk.no-ip.biz ESMTP Postfix (Raspbian)

Wenn ich dann wieder das smtpd_ca_file setze kommt wieder der Verify return code: 19 (self signed certificate in certificate chain).

Für den letzten Fall verwende ich übrigens diese Dateien

Zusammengefasst: Ich weiß viele Variante wie es nicht geht mit unterschiedlichen Fehlermeldungen am Ende

. Ich vermute ja immer noch, dass ich die Zertifikate falsch aneinander hänge.

lg benediktibk

bitmuncher · Nov 17, 2015

Ich hab bei mir den Key an erster Stelle, danach folgt die Zertifikatskette.

Edit: Und vermeide die freien Zeilen dazwischen. Ausserdem sicherstellen, dass keine Windows-Zeilenumbrüche drin sind.

benediktibk · Nov 19, 2015

Nope, mag immer noch nicht. Bei der Variante key|intermediate certificate|eigenes zertifikat beschwert sich postfix dann, dass er den key nicht findet. In der Variante schlägt auch ein openssl verify ohne expliziter Angabe vom CA-file fehl:

Code:

benediktibk@benediktibk ~ $ sudo openssl verify -CAfile /etc/ssl/certs/domain.pem /etc/ssl/private/domain.pem
/etc/ssl/private/domain.pem: OK
benediktibk@benediktibk ~ $ sudo openssl verify /etc/ssl/private/domain.pem
/etc/ssl/private/domain.pem: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
error 20 at 0 depth lookup:unable to get local issuer certificate

Dabei enthält /etc/ssl/certs/domain.pem das intermediate certifcate und /etc/ssl/private/domain.pem die chain inklusive key am Anfang.

Leerzeilen und Windows-Zeilenumbrüche habe ich übrigens eliminiert, danke für den Tipp.

mfg benediktibk

chr0n0s · Nov 20, 2015

Versuche mal das, falls noch nicht geschehen:

https://goinggnu.wordpress.com/2015/04/10/fix-unknown-ca-error-in-apache-ssl/

SchwarzeBeere · Nov 20, 2015

Key und Certs in einer Datei? Das eine ist privat, das andere öffentlich, das speichert man nicht in einer Datei...

Im Dovecot Wiki findest du den korrekten Aufbau der Chain:
Chain.pem = Dein Zertifikat + Sub CA + .. + Root CA
PK.key = der zu deinem Zertifikat gehörende Private Key

Die Angabe von ssl_ca ist nicht notwendig, wenn es dir nur um Server Authentifizerung auf Client-Seite geht. Das Root CA Zertifikat würde ansonsten nur zur Client Authentifizierung genutzt werden, d.h. wenn der Server beim Verbindungsaufbau ein Zertifikat des Clients prüfen müsste.

benediktibk · Nov 22, 2015

Danke für die Tipps, ich habe mir die ganze Chain neu heruntergeladen und aneinander gehängt:

eigenes public Zertifikat
intermediates
root

Außerdem ist jetzt im Key-File wieder wirklich nur mehr das Key-File. Ergebnis:
https://www.sslshopper.com/ssl-checker.html#hostname=benediktibk.no-ip.biz:443
https://www.sslshopper.com/ssl-checker.html#hostname=benediktibk.no-ip.biz:993
https://www.sslshopper.com/ssl-checker.html#hostname=benediktibk.no-ip.biz:465

Sieht doch alles super aus, für mich zumindest. Trotzdem bekomme ich immer noch keinen Login mit dem Thunderbird zusammen, ich habe weiterhin in den Logs dieselben Error-Messages:

Code:

Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: setting up TLS connection from unknown[192.168.42.26]
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: unknown[192.168.42.26]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CDC3-SHA:!KRB5-DE5:!CBC3-SHA"
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: send attr request = seed
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: send attr size = 32
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: private/tlsmgr: wanted attribute: status
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: input attribute name: status
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: input attribute value: 0
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: private/tlsmgr: wanted attribute: seed
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: input attribute name: seed
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: input attribute value: fniG/XGUZYCCXVGsNKC1SrM6W2++WMn4RuJ4EmvvzFM=
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: private/tlsmgr: wanted attribute: (list terminator)
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: input attribute name: (end)
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: SSL_accept:before/accept initialization
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: SSL_accept:unknown state
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: SSL_accept:unknown state
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: SSL_accept:unknown state
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: SSL_accept:unknown state
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: SSL_accept:unknown state
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: SSL_accept:unknown state
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: SSL_accept:unknown state
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: SSL_accept:unknown state
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: send attr request = tktkey
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: send attr keyname = [data 0 bytes]
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: private/tlsmgr: wanted attribute: status
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: input attribute name: status
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: input attribute value: 0
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: private/tlsmgr: wanted attribute: keybuf
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: input attribute name: keybuf
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: input attribute value: UWaFed+GcqvxtrWnJv370ivu47H0xIEyarr7UCrLf6wq0Q78Ctc4rje1g9TKJi5cTwVSVg==
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: private/tlsmgr: wanted attribute: (list terminator)
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: input attribute name: (end)
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: unknown[192.168.42.26]: Issuing session ticket, key expiration: 1448215887
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: SSL_accept:unknown state
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: SSL_accept:unknown state
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: SSL_accept:unknown state
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: SSL_accept:unknown state
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: Anonymous TLS connection established from unknown[192.168.42.26]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: xsasl_dovecot_server_create: SASL service=smtp, realm=(null)
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: name_mask: noanonymous
Nov 22 19:08:49 benediktibk postfix/smtpd[16230]: xsasl_dovecot_server_connect: Connecting
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: xsasl_dovecot_server_connect: auth reply: VERSION?1?1
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: xsasl_dovecot_server_connect: auth reply: MECH?PLAIN?plaintext
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: name_mask: plaintext
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: xsasl_dovecot_server_connect: auth reply: MECH?LOGIN?plaintext
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: name_mask: plaintext
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: xsasl_dovecot_server_connect: auth reply: SPID?16234
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: xsasl_dovecot_server_connect: auth reply: CUID?1
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: xsasl_dovecot_server_connect: auth reply: COOKIE?023b721af540ffd65c82b5f47690eed1
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: xsasl_dovecot_server_connect: auth reply: DONE
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: xsasl_dovecot_server_mech_filter: keep mechanism: PLAIN
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: xsasl_dovecot_server_mech_filter: keep mechanism: LOGIN
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: match_hostname: unknown ~? 127.0.0.1
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: match_hostaddr: 192.168.42.26 ~? 127.0.0.1
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: match_list_match: unknown: no match
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: match_list_match: 192.168.42.26: no match
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: auto_clnt_open: connected to private/anvil
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: send attr request = connect
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: send attr ident = smtps:192.168.42.26
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: private/anvil: wanted attribute: status
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: input attribute name: status
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: input attribute value: 0
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: private/anvil: wanted attribute: count
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: input attribute name: count
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: input attribute value: 1
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: private/anvil: wanted attribute: rate
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: input attribute name: rate
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: input attribute value: 1
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: private/anvil: wanted attribute: (list terminator)
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: input attribute name: (end)
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: > unknown[192.168.42.26]: 220 benediktibk.no-ip.biz ESMTP Postfix (Raspbian)
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: watchdog_pat: 0x561845f8
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: smtp_get: EOF
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: match_hostname: unknown ~? 127.0.0.1
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: match_hostaddr: 192.168.42.26 ~? 127.0.0.1
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: match_list_match: unknown: no match
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: match_list_match: 192.168.42.26: no match
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: send attr request = disconnect
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: send attr ident = smtps:192.168.42.26
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: private/anvil: wanted attribute: status
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: input attribute name: status
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: input attribute value: 0
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: private/anvil: wanted attribute: (list terminator)
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: input attribute name: (end)
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: lost connection after CONNECT from unknown[192.168.42.26]
Nov 22 19:08:50 benediktibk postfix/smtpd[16230]: disconnect from unknown[192.168.42.26]

Code:

Nov 22 19:21:16 auth: Debug: auth client connected (pid=19166)
Nov 22 19:21:16 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.42.26, lip=192.168.42.126, TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=<rS+hLCUlmADAqCoa>
Nov 22 19:27:33 auth: Debug: auth client connected (pid=20544)
Nov 22 19:27:33 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.42.26, lip=192.168.42.126, TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=<QNAcQyUl8gDAqCoa>

Im Wireshark sehe ich eine Message vom Typ Encrypted Alert. Ist die das Problem? Im Anhang findet ihr zwei captures, einmal dovecot (imap) und einmal postfix (smtp).

mfg benediktibk

SchwarzeBeere · Nov 23, 2015

Also.. die PCAPs enthalten folgende Pakete:

Code:

$ ssldump -anr postfix_ssl.pcapng
New TCP connection #1: 192.168.42.26(50358) <-> 192.168.42.126(465)
1 1  0.0005 (0.0005)  C>S  Handshake
      ClientHello
[...]
1 2  0.1889 (0.1884)  S>C  Handshake
      ServerHello
[...]
1 3  0.2727 (0.0837)  S>C  Handshake
      Certificate
1 4  0.2727 (0.0000)  S>C  Handshake
      ServerKeyExchange
1 5  0.2727 (0.0000)  S>C  Handshake
      ServerHelloDone
1 6  0.2780 (0.0053)  C>S  Handshake
      ClientKeyExchange
1 7  0.2780 (0.0000)  C>S  ChangeCipherSpec
1 8  0.2780 (0.0000)  C>S  Handshake
[B]1 9  0.2783 (0.0002)  C>S  Alert[/B]
1    0.2783 (0.0000)  C>S  TCP FIN
1 10 0.2996 (0.0213)  S>C  Handshake
1 11 0.2996 (0.0000)  S>C  ChangeCipherSpec
1 12 0.2996 (0.0000)  S>C  Handshake

Dovecot analog. Der Alert kommt bereits verschlüsselt, daher wird man die genaue Nachricht nicht sehen. Letzten Endes passt das aber auch zu der von dir gezeigten Log-Meldung:

Code:

Nov 22 19:21:16 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.42.26, lip=192.168.42.126, TLS: SSL_read() failed: error:14094418:SSL routines:SSL3_READ_BYTES:[B]tlsv1 alert unknown ca: SSL alert number 48[/B], session=<rS+hLCUlmADAqCoa>

"Unkown CA" wird in folgenden Situationen geworfen:

RFC5246 hat gesagt.:
unknown_ca
A valid certificate chain or partial chain was received, but the
certificate was not accepted because the CA certificate could not
be located or couldn't be matched with a known, trusted CA. This
message is always fatal.

Die Fehlerquelle könnte also sein, dass Thunderbird das RootCA-Zertifikat nicht als vertrauenswürdig akzeptiert. Die Chain selbst ist korrekt und vollständig (CACertificates = Intermediate + Intermediate + Root; Server = Server Zertifikat):

Code:

$ openssl verify -CAfile CACertificates.pem Server.pem 
Server.pem: OK

Könntest du daher bitte mal nachschauen, ob das Addtrust External CA Root als vertrauenswürdig im Thunderbird eingetragen ist? Das Zertifikat bekommst du im Zweifelsfall von hier.

benediktibk · Nov 23, 2015

AddTrust war im Thunderbird bereits installiert, vorsichtshalber habe ich es noch einmal neu installiert. Die Aktion half leider ebenfalls nicht.
Des Rätsels Lösung war ein anderer Mail Client, in dem Fall testweise EssentialPIM. Den muss man zwar einmal neustarten nachdem man ihn auf SSL getrimmt hat, aber danach funktioniert es tadellos.

Ergo: Böser Thunderbird

Danke für die Hilfe,
benediktibk

SSL Zertifikat für Postfix und Dovecot

benediktibk

0

bitmuncher

Senior-Nerd

benediktibk

0

bitmuncher

Senior-Nerd

benediktibk

0

chr0n0s

0

SchwarzeBeere

0

benediktibk

0

SchwarzeBeere

0

benediktibk

0