OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Some Windows SMTP Server have problems with STARTTLS

From: Victor Duchovni (Victor.Duchovnimorganstanley.com)
Date: Thu May 08 2008 - 10:21:45 CDT

On Thu, May 08, 2008 at 11:43:59AM +0200, Ralf Hildebrandt wrote:

> Last night I weeded out out /etc/ssl/certs structure and removed
> duplicate certificates and old certificates and all that.
>
> After that, TLS would work again, even for those who previously
> couldn't use it!

You broke your trust chain, now you are presenting just your server
certificate with none of the intermediate CA certs. Now add your
CA certs, from the bottom up, one at a time, starting with the
Charite CA. Append the CA cert(s) to your server cert file.

Test for a while after adding each cert and see which cert (camel straw :-)
breaks the MDAEMON systems.

smtp-finger: initializing the client-side TLS engine
smtp-finger: Connected to 193.175.70.131[193.175.70.131]:25
smtp-finger: < 220 mail-ausfall.charite.de ESMTP
smtp-finger: > EHLO hqmtabh2.ms.com
smtp-finger: < 250-mail-ausfall.charite.de
smtp-finger: < 250-PIPELINING
smtp-finger: < 250-SIZE 20971520
smtp-finger: < 250-ETRN
smtp-finger: < 250-STARTTLS
smtp-finger: < 250-ENHANCEDSTATUSCODES
smtp-finger: < 250-8BITMIME
smtp-finger: < 250 DSN
smtp-finger: > STARTTLS
smtp-finger: < 220 2.0.0 Ready to start TLS
smtp-finger: setting up TLS connection to 193.175.70.131[193.175.70.131]:25
smtp-finger: 193.175.70.131[193.175.70.131]:25: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:STRENGTH:!aNULL"
smtp-finger: 193.175.70.131[193.175.70.131]:25: certificate verification depth=0 verify=0 subject=/C=DE/O=Charite - Universitaetsmedizin Berlin/OU=Geschaeftsbereich Informationsmanagement/CN=mail-ausfall.charite.de
smtp-finger: certificate verification failed for 193.175.70.131[193.175.70.131]:25: untrusted issuer /C=DE/O=Charite - Universitaetsmedizin Berlin/OU=IT-Zentrum/CN=Charite CA - G02/emailAddress=pkicharite.de
smtp-finger: 193.175.70.131[193.175.70.131]:25: certificate verification depth=0 verify=0 subject=/C=DE/O=Charite - Universitaetsmedizin Berlin/OU=Geschaeftsbereich Informationsmanagement/CN=mail-ausfall.charite.de
smtp-finger: 193.175.70.131[193.175.70.131]:25: certificate verification depth=0 verify=0 subject=/C=DE/O=Charite - Universitaetsmedizin Berlin/OU=Geschaeftsbereich Informationsmanagement/CN=mail-ausfall.charite.de
smtp-finger: 193.175.70.131[193.175.70.131]:25 sha1 fingerprint B1:E3:23:52:FC:3C:96:55:5E:59:74:F1:73:3B:8E:53:F9:0F:B3:87
smtp-finger: Untrusted TLS connection established to 193.175.70.131[193.175.70.131]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
---
Certificate chain
 0 s:/C=DE/O=Charite - Universitaetsmedizin Berlin/OU=Geschaeftsbereich Informationsmanagement/CN=mail-ausfall.charite.de
   i:/C=DE/O=Charite - Universitaetsmedizin Berlin/OU=IT-Zentrum/CN=Charite CA - G02/emailAddress=pkicharite.de
-----BEGIN CERTIFICATE-----
MIIFZDCCBEygAwIBAgIECz107DANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMC
REUxLjAsBgNVBAoTJUNoYXJpdGUgLSBVbml2ZXJzaXRhZXRzbWVkaXppbiBCZXJs
aW4xEzARBgNVBAsTCklULVplbnRydW0xGTAXBgNVBAMTEENoYXJpdGUgQ0EgLSBH
MDIxHTAbBgkqhkiG9w0BCQEWDnBraUBjaGFyaXRlLmRlMB4XDTA3MTAyMzEzMzAw
NloXDTEyMTAyMTEzMzAwNlowgZIxCzAJBgNVBAYTAkRFMS4wLAYDVQQKEyVDaGFy
aXRlIC0gVW5pdmVyc2l0YWV0c21lZGl6aW4gQmVybGluMTEwLwYDVQQLEyhHZXNj
aGFlZnRzYmVyZWljaCBJbmZvcm1hdGlvbnNtYW5hZ2VtZW50MSAwHgYDVQQDExdt
YWlsLWF1c2ZhbGwuY2hhcml0ZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALgba41mKrDjp2vjzKyaK6gIUOGQPT/auuhEqGMBmj1Gk+507W5CCO7f
0vaNNikP9FX0zExtbofAjLhPRwlbj6y9T8dW6tcYQA1a7xwZljdROS3/c+Nx1Ut1
MCsCDvnwwlJPzcvH8IjgZCO9ho3S1wI6uH4jWwgffx0ctZY+dpBlqE0uyv5V11sd
NHtrXmiPfJa4e+1Dd9fZ03W0AAfP4PxHti7EHKmFOdMHbU7HSQECBGkAr2rhXiR/
ghLaEwP4iwYxSFRFMsgyoQk9jzT3xFui5Tc5oQ6xsXX8MKp/9sXAb+2CCxTJqrma
Vu6PT1Lpbt6qRE8BaGs4yPY7+67ASSECAwEAAaOCAcQwggHAMAkGA1UdEwQCMAAw
CwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNV
HQ4EFgQUdKYZuMMvKUKvKYRkdzGihArQLU8wHwYDVR0jBBgwFoAUdEoOWeoiMXq4
75oHkk3f0jkzqcYwIAYDVR0RBBkwF4EVcG9zdG1hc3RlckBjaGFyaXRlLmRlMIGD
BgNVHR8EfDB6MDugOaA3hjVodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2NoYXJpdGUt
Y2EvcHViL2NybC9nX2NhY3JsLmNybDA7oDmgN4Y1aHR0cDovL2NkcDIucGNhLmRm
bi5kZS9jaGFyaXRlLWNhL3B1Yi9jcmwvZ19jYWNybC5jcmwwgZ4GCCsGAQUFBwEB
BIGRMIGOMEUGCCsGAQUFBzAChjlodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2NoYXJp
dGUtY2EvcHViL2NhY2VydC9nX2NhY2VydC5jcnQwRQYIKwYBBQUHMAKGOWh0dHA6
Ly9jZHAyLnBjYS5kZm4uZGUvY2hhcml0ZS1jYS9wdWIvY2FjZXJ0L2dfY2FjZXJ0
LmNydDANBgkqhkiG9w0BAQUFAAOCAQEAnigKbY3ftiVq5aBRX3C0+WKJOohjGlzY
pvqmDnsecJjknlsI/JHrv1HH/N52pXqr4HGcVniRv3fnCHb38GGKKYHmrORHDut3
ugA0R7oVXnfo1VdbpYFTk36ALdzvfpljrQJ0L3Hmu7XDdxC1l3YAMZj2umjyd9z3
FwFzx/GhFxK4i0z7XnONdM4bQN8WzUL39KxRetPkGf6T0BCWgW3I1093n34W1xBW
ZutLCqeHuljEzS7nNP3P4javwmohnpT2RutgT8HMdDuFxudlxCbY0K2kbGyu9uT6
aShIeXPlC1T8Pj2xySt8DeYMFAC7AZwzDK8x5HqlVJoMKZsut1Uqkg==
-----END CERTIFICATE-----
smtp-finger: > QUIT
smtp-finger: < 221 2.0.0 Bye

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.