[Eisfair] Smarthosteinstellungen nach providerwechsel

Andreas Schmied Andreas.Schmied at t-online.de
Di Mär 1 21:48:19 CET 2016 

Am 01.03.16 um 20:52 schrieb Juergen Edner:
> Hallo Marcus,
> 
>> 2016-02-29 19:20:18 1aaPBb-000678-Bc H=alfa3056.alfahosting-server.de
>> [109.237.140.26] TLS error on connection
>> (SSL_CTX_use_certificate_chain_file file=/usr/local/ssl/certs/exim.pem):
>> error:02001002:system library:fopen:No such file or directory
>>
>> 2016-02-29 19:20:18 1aaPBb-000678-Bc == bestellung at montforterhof.de
>> R=smart_route T=remote_smtp defer (-37) H=alfa3056.alfahosting-server.de
>> [109.237.140.26]: failure while setting up TLS session
> 
> ok, verstehe. Ich denke schuld an diesem Verhalten sind die beiden
> Einträge tls_certificate und tls_privatekey beim SMTP-Transport.
> Diese Einträge werden eigentlich nur dann dort benötigt, wenn die
> Gegenseite, d.h. in diesem Fall der empfangende Smarthost, die
> Identität des Absender prüfen will.
> Für den Anfang könnte man testweise die folgenden beiden Zeilen
> im Block "remote_smtp:" der Datei /var/spool/exim/configure
> auskommentieren und schauen, ob dann die Fehlermeldung verschwindet.
> 
> remote_smtp:
>   ...
>   tls_certificate   = /usr/local/ssl/certs/exim.pem
>   tls_privatekey    = /usr/local/ssl/certs/exim.pem
>   ...


Habe ich so gemacht,dann:
Stop mail services                    │
Start mail services

..schon war die Mail mit TLS raus.


Aber..dann habe ich doch noch einmal getestet und die Mail ging wieder
nicht raus.
In /var/spool/exim/configure reingeschaut waren die beiden Zeilen
tls_certificate = /usr/local/ssl/certs/exim.pem
tls_privatekey = /usr/local/ssl/certs/exim.pem
 wieder 'un'auskommentiert.

Das log dazu:


2016-03-01 21:09:13 [21363] cwd=/tmp 2 args: /usr/local/exim/bin/exim -bp
2016-03-01 21:09:13 [21410] cwd=/tmp 3 args: /usr/local/exim/bin/exim
-bp 1aanGz-00058q-Hn
2016-03-01 21:09:44 [21582] cwd=/tmp 5 args: /usr/local/exim/bin/exim -d
-bd -q30m -om
2016-03-01 21:09:44 [21582] exim 4.86 daemon started: pid=21582, -q30m,
listening for SMTP on port 25 (IPv4) port 587 (IPv4)
2016-03-01 21:09:44 [21584] cwd=/var/spool/exim 2 args:
/usr/local/exim/bin/exim -q
2016-03-01 21:09:44 [21584] Start queue run: pid=21584
2016-03-01 21:09:45 [21587] 1aanGz-00058q-Hn [109.237.140.26] SSL verify
error: depth=0 error=unable to get certificate CRL cert=/OU=Domain
Control Validated/OU=Hosted by Alfahosting GmbH/OU=PositiveSSL
Wildcard/CN=*.alfahosting-server.de
2016-03-01 21:09:45 [21587] 1aanGz-00058q-Hn [109.237.140.26] SSL verify
error: depth=1 error=unable to get certificate CRL cert=/C=GB/ST=Greater
Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation
Secure Server CA
2016-03-01 21:09:45 [21587] 1aanGz-00058q-Hn [109.237.140.26] SSL verify
error: depth=2 error=unable to get certificate CRL cert=/C=GB/ST=Greater
Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification
Authority
2016-03-01 21:09:45 [21587] 1aanGz-00058q-Hn [109.237.140.26] SSL verify
error: depth=3 error=unable to get certificate CRL cert=/C=SE/O=AddTrust
AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
2016-03-01 21:09:46 [21586] 1aanGz-00058q-Hn =>
andreas.schmied at t-online.de I=[192.168.1.88]
F=<andreas.schmied at montforterhof.de>
P=<andreas.schmied at montforterhof.de> R=smart_route T=remote_smtp S=652
H=alfa3056.alfahosting-server.de [109.237.140.26]:25
X=TLSv1:DHE-RSA-AES256-SHA:256 CV=no DN="/OU=Domain Control
Validated/OU=Hosted by Alfahosting GmbH/OU=PositiveSSL
Wildcard/CN=*.alfahosting-server.de" A=login C="250 2.0.0 Ok: queued as
141062A38100" QT=3h34m1s DT=2s
2016-03-01 21:09:46 [21586] 1aanGz-00058q-Hn Completed QT=3h34m1s
2016-03-01 21:09:46 [21584] End queue run: pid=21584
2016-03-01 21:10:22 [21609] cwd=/tmp 2 args: /usr/local/exim/bin/exim -bp
2016-03-01 21:11:37 exim 4.86 daemon started: pid=22887, -q30m,
listening for SMTP on port 25 (IPv4) port 587 (IPv4)
2016-03-01 21:11:37 Start queue run: pid=22889
2016-03-01 21:11:37 End queue run: pid=22889
2016-03-01 21:11:42 1aaqdx-0005xo-45 DKIM: d=vcockpit.de
s=mail.protection c=relaxed/simple a=rsa-sha256 t=1456857617
[verification succeeded]
2016-03-01 21:11:42 1aaqdx-0005xo-45 <= office at vcockpit.de H=localhost
(eis88.home.lan) [127.0.0.1] P=esmtp S=234318
id=3fd750d430e8777b1e372915f1fd9775 at swift.generated
2016-03-01 21:11:42 1aaqdx-0005xo-45 => schmied <schmied at lan>
R=localuser T=local_delivery
2016-03-01 21:11:42 1aaqdx-0005xo-45 Completed
2016-03-01 21:11:42 1aaqdy-0005xo-Dz <= andreas.schmied at montforterhof.de
H=localhost (eis88.home.lan) [127.0.0.1] P=esmtp S=2579
id=20160301200227.5AB7232CD6A9 at relay01.alfahosting-server.de
2016-03-01 21:11:42 1aaqdy-0005xo-Dz => schmied <schmied at lan>
R=localuser T=local_delivery
2016-03-01 21:11:42 1aaqdy-0005xo-Dz Completed
2016-03-01 21:16:07 1aaqiF-0005yo-0m <= andreas.schmied at montforterhof.de
H=macbook-wlan.fritz.box [192.168.1.101] P=esmtp S=647
id=56D5F6CF.2060609 at montforterhof.de
2016-03-01 21:16:07 1aaqiF-0005yo-0m H=alfa3056.alfahosting-server.de
[109.237.140.26] TLS error on connection
(SSL_CTX_use_certificate_chain_file file=/usr/local/ssl/certs/exim.pem):
error:02001002:system library:fopen:No such file or directory
2016-03-01 21:16:07 1aaqiF-0005yo-0m H=alfa3056.alfahosting-server.de
[109.237.140.26] TLS error on connection
(SSL_CTX_use_certificate_chain_file file=/usr/local/ssl/certs/exim.pem):
error:02001002:system library:fopen:No such file or directory
2016-03-01 21:16:07 1aaqiF-0005yo-0m == andreas.schmied at t-online.de
R=smart_route T=remote_smtp defer (-37) H=alfa3056.alfahosting-server.de
[109.237.140.26]: failure while setting up TLS session
2016-03-01 21:16:07 1aaqiF-0005yo-0m == bestellung at montforterhof.de
R=smart_route T=remote_smtp defer (-37) H=alfa3056.alfahosting-server.de
[109.237.140.26]: failure while setting up TLS session
2016-03-01 21:21:05 Start queue run: pid=23284
2016-03-01 21:21:05 1aaqiF-0005yo-0m == bestellung at montforterhof.de
R=smart_route T=remote_smtp defer (-53): retry time not reached for any host
2016-03-01 21:21:05 1aaqiF-0005yo-0m == andreas.schmied at t-online.de
R=smart_route T=remote_smtp defer (-53): retry time not reached for any host
2016-03-01 21:21:05 End queue run: pid=23284
2016-03-01 21:22:17 Start queue run: pid=23514
2016-03-01 21:22:17 1aaqiF-0005yo-0m == bestellung at montforterhof.de
R=smart_route T=remote_smtp defer (-53): retry time not reached for any host
2016-03-01 21:22:17 1aaqiF-0005yo-0m == andreas.schmied at t-online.de
R=smart_route T=remote_smtp defer (-53): retry time not reached for any host
2016-03-01 21:22:17 End queue run: pid=23514
2016-03-01 21:22:44 exim 4.86 daemon started: pid=23780, -q30m,
listening for SMTP on port 25 (IPv4) port 587 (IPv4)
2016-03-01 21:22:44 Start queue run: pid=23782
2016-03-01 21:22:44 1aaqiF-0005yo-0m == bestellung at montforterhof.de
R=smart_route T=remote_smtp defer (-53): retry time not reached for any host
2016-03-01 21:22:44 1aaqiF-0005yo-0m == andreas.schmied at t-online.de
R=smart_route T=remote_smtp defer (-53): retry time not reached for any host
2016-03-01 21:22:44 End queue run: pid=23782
2016-03-01 21:23:18 Start queue run: pid=24040
2016-03-01 21:23:18 1aaqiF-0005yo-0m == bestellung at montforterhof.de
R=smart_route T=remote_smtp defer (-53): retry time not reached for any host
2016-03-01 21:23:18 1aaqiF-0005yo-0m == andreas.schmied at t-online.de
R=smart_route T=remote_smtp defer (-53): retry time not reached for any host
2016-03-01 21:23:18 End queue run: pid=24040
2016-03-01 21:24:54 1aaqqk-0006It-7J <= andreas.schmied at montforterhof.de
H=macbook-wlan.fritz.box [192.168.1.101] P=esmtp S=651
id=56D5F8DE.5060004 at montforterhof.de
2016-03-01 21:24:54 1aaqqk-0006It-7J == andreas.schmied at t-online.de
R=smart_route T=remote_smtp defer (-53): retry time not reached for any host
2016-03-01 21:25:38 Start queue run: pid=24499
2016-03-01 21:25:38 1aaqqk-0006It-7J == andreas.schmied at t-online.de
R=smart_route T=remote_smtp defer (-53): retry time not reached for any host
2016-03-01 21:25:38 1aaqiF-0005yo-0m == bestellung at montforterhof.de
R=smart_route T=remote_smtp defer (-53): retry time not reached for any host
2016-03-01 21:25:38 1aaqiF-0005yo-0m == andreas.schmied at t-online.de
R=smart_route T=remote_smtp defer (-53): retry time not reached for any host
2016-03-01 21:25:38 End queue run: pid=24499



Dann wieder 'auskommentiert'
Jetzt gingen die Mails wieder raus.
Das Log dazu:



2016-03-01 21:42:37 1aar7t-0006cw-OT => schmied <schmied at lan>
R=localuser T=local_delivery
2016-03-01 21:42:37 1aar7t-0006cw-OT Completed
2016-03-01 21:43:59 1aar9D-0006dV-Po <= andreas.schmied at montforterhof.de
H=macbook-wlan.fritz.box [192.168.1.101] P=esmtp S=652
id=56D5FD58.8020305 at montforterhof.de
2016-03-01 21:44:00 1aar9D-0006dV-Po [109.237.140.26] SSL verify error:
depth=0 error=unable to get certificate CRL cert=/OU=Domain Control
Validated/OU=Hosted by Alfahosting GmbH/OU=PositiveSSL
Wildcard/CN=*.alfahosting-server.de
2016-03-01 21:44:00 1aar9D-0006dV-Po [109.237.140.26] SSL verify error:
depth=1 error=unable to get certificate CRL cert=/C=GB/ST=Greater
Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation
Secure Server CA
2016-03-01 21:44:00 1aar9D-0006dV-Po [109.237.140.26] SSL verify error:
depth=2 error=unable to get certificate CRL cert=/C=GB/ST=Greater
Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification
Authority
2016-03-01 21:44:00 1aar9D-0006dV-Po [109.237.140.26] SSL verify error:
depth=3 error=unable to get certificate CRL cert=/C=SE/O=AddTrust
AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
2016-03-01 21:44:00 1aar9D-0006dV-Po [109.237.140.26] SSL verify error:
depth=0 error=unable to get certificate CRL cert=/OU=Domain Control
Validated/OU=Hosted by Alfahosting GmbH/OU=PositiveSSL
Wildcard/CN=*.alfahosting-server.de
2016-03-01 21:44:00 1aar9D-0006dV-Po [109.237.140.26] SSL verify error:
depth=1 error=unable to get certificate CRL cert=/C=GB/ST=Greater
Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation
Secure Server CA
2016-03-01 21:44:00 1aar9D-0006dV-Po [109.237.140.26] SSL verify error:
depth=2 error=unable to get certificate CRL cert=/C=GB/ST=Greater
Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification
Authority
2016-03-01 21:44:00 1aar9D-0006dV-Po [109.237.140.26] SSL verify error:
depth=3 error=unable to get certificate CRL cert=/C=SE/O=AddTrust
AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
2016-03-01 21:44:01 1aar9D-0006dV-Po => andreas.schmied at t-online.de
R=smart_route T=remote_smtp H=alfa3056.alfahosting-server.de
[109.237.140.26] X=TLSv1:DHE-RSA-AES256-SHA:256 CV=no DN="/OU=Domain
Control Validated/OU=Hosted by Alfahosting GmbH/OU=PositiveSSL
Wildcard/CN=*.alfahosting-server.de" A=login C="250 2.0.0 Ok: queued as
03F902A38100"
2016-03-01 21:44:01 1aar9D-0006dV-Po => bestellung at montforterhof.de
R=smart_route T=remote_smtp H=alfa3056.alfahosting-server.de
[109.237.140.26] X=TLSv1:DHE-RSA-AES256-SHA:256 CV=no DN="/OU=Domain
Control Validated/OU=Hosted by Alfahosting GmbH/OU=PositiveSSL
Wildcard/CN=*.alfahosting-server.de" A=login C="250 2.0.0 Ok: queued as
0B9022A38170"
2016-03-01 21:44:01 1aar9D-0006dV-Po Completed


Scheint ja nicht reibungslos zu gehen.
Die beiden Zeilen
tls_certificate   = /usr/local/ssl/certs/exim.pem
tls_privatekey    = /usr/local/ssl/certs/exim.pem
bleiben jetzt 'auskommentiert'....so sieht es zumindest einmal aus.

Was nun?
-- 
Gruß
Andreas

Mehr Informationen über die Mailingliste Eisfair