Score:0

Mail server sending to postfix refusing TLS connection with "certificate expired", but it's not

ve flag

Since April 30, I'm seeing errors like that in my mail log:

May  1 02:27:27 afaron postfix/smtpd[2644268]: connect from r137.info.hofer.at[66.117.17.137]
May  1 02:27:27 afaron postfix/smtpd[2644268]: SSL_accept error from r137.info.hofer.at[66.117.17.137]: -1
May  1 02:27:27 afaron postfix/smtpd[2644268]: warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1543:SSL alert number 45:
May  1 02:27:27 afaron postfix/smtpd[2644268]: lost connection after STARTTLS from r137.info.hofer.at[66.117.17.137]
May  1 02:27:27 afaron postfix/smtpd[2644268]: disconnect from r137.info.hofer.at[66.117.17.137] ehlo=1 starttls=0/1 commands=1/2

As far as I can grasp it, r137.info.hofer.at[66.117.17.137] refuses to send mail to my server, because it claims my SSL certificate would be expired.

I use a letsencrypt certificate. I double-checked if the latest one is actually used by postfix, and it is. It's not expired. I even tried to force-update the cert, but the errors re-appeared. When I run openssl s_client -starttls smtp -showcerts -connect mail.l3u.de:25 -servername mail.l3u.de, I get a valid TLS session ticket.

Until now, r137.info.hofer.at[66.117.17.137] is the only mail server complaining. Im tried send mail from and to gmx.de, web.de, t-online.de, gmail.com, yahoo.com and outlook.de. All without a problem, both sending and receiving.

How can I track this down? Can this be some local problem due to some outdated cert in the chain of trust for my sertificate on my server? And how can I find it? Or is this a remote problem?

tilleyc avatar
us flag
What’s the time on the sending server? Can it validate other certificates?
Tobias Leupold avatar
ve flag
It's not my server, so I can't tell if it has issues with other servers …
anx avatar
fr flag
anx
Why does your openssl test mention `-servername`, does your server present different certificates when receiving SNI?
Tobias Leupold avatar
ve flag
I just copied this from some Google search on how to test if a mail server's TLS will work ;-)
Tobias Leupold avatar
ve flag
Just for the sake of completeness: It works as well with openssl s_client -starttls smtp -showcerts -connect mail.l3u.de:25
Score:1
ve flag

I'm not perfectly sure, but I think I know what's going on now.

The remote side seems to use an outdated version of OpenSSL, which chokes on letsencrypt's cross-signature of the (expired) DST Root CA X3 certificate.

I requested a new certificate using certbot with --preferred-chain "ISRG Root X1" set (of course also restarted postfix ;-) and after that, the server in question talked to my server again.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.