[Eisfair] Zertifikate

Stefan Heidrich stefan-in-news at web.de
Mi Okt 11 07:51:40 CEST 2017 

Hallo Jürgen, hallo NG,

es tut mir leid, aber wenn ich versuche auf verschlüsselte 
SMTP-Übertragung beim Smarthost umzustellen funktioniert nichts mehr.

>> SMTP_SMARTHOST_1_HOST='mail.intersales.de' >> SMTP_SMARTHOST_1_AUTH_TYPE='md5'       # vorher auf 'none'>> 
SMTP_SMARTHOST_1_ADDR='*'              # vorher ''>> 
SMTP_SMARTHOST_1_USER=''>> SMTP_SMARTHOST_1_PASS=''>> 
SMTP_SMARTHOST_1_FORCE_AUTH='no'>> SMTP_SMARTHOST_1_FORCE_TLS='yes'>> 
SMTP_SMARTHOST_1_PORT=''               # vorher 'smtp'
> ich denke Du musst erst einmal Deine Zertifikatskette und Deine CRL
> prüfen:
> 
> # /var/install/bin/certs-show-chain --nogui mail.intersales.de.pem

Sieht bei mir so aus:

Show certificate chain (run as 'root')
*
| certificate : mail.intersales.de.pem (72da9ae8)
| subject     : /CN=mail.intersales.de
| issuer      : /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
| MD5 f-print : D1:83:AE:0E:47:9D:8D:AE:7B:90:F8:95:18:D6:43:A0
| SHA1 f-print: D1:51:18:5D:AD:14:CC:98:83:36:91:67:1D:98:EB:82:05:BE:9E:BF
|
+->| certificate : lets_encrypt_authority_x3.pem (4f06f81d)
    | subject     : /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    | issuer      : /O=Digital Signature Trust Co./CN=DST Root CA X3
    | MD5 f-print : B1:54:09:27:4F:54:AD:8F:02:3D:3B:85:A5:EC:EC:5D
    | SHA1 f-print: 
E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB
    |
    +->| certificate : DST_Root_CA_X3.pem (2e5ac55d)
       | subject     : /O=Digital Signature Trust Co./CN=DST Root CA X3
       | issuer      : /O=Digital Signature Trust Co./CN=DST Root CA X3
       | MD5 f-print : 41:03:52:DC:0F:F7:50:1B:16:F0:02:8E:BA:6F:45:C5
       | SHA1 f-print: 
DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
       |
       +-> end of chain!

checking certificate chain: mail.intersales.de.pem: CN = mail.intersales.de
error 3 at 0 depth lookup:unable to get certificate CRL

> # /var/install/bin/certs-update-crl -grepsingleuri 
> lets_encrypt_authority_x3.pem

Certificate revocation list (CRL) handling

- file lets_encrypt_authority_x3.pem ...
- URL 'http[s]?://crl.identrust.com/DSTROOTCAX3CRL.crl' already in CRL list.
checking if CRL files exist ...
- job '8808' (2017-10-27 18:12) already exists.
- job '8711' (2017-11-18 16:09) already exists.
- job '8826' (2017-10-11 08:13) already exists.
- job '8713' (2018-03-28 12:13) already exists.
- job '8714' (2018-03-28 12:16) already exists.
- job '8715' (2018-07-23 02:03) already exists.
- job '8827' (2017-10-11 08:16) already exists.
- job '8828' (2017-10-11 08:19) already exists.
- job '8829' (2017-10-11 08:22) already exists.
- job '8719' (2017-11-10 22:52) already exists.
- job '8720' (2018-07-25 12:15) already exists.
- job '8721' (2018-07-25 12:18) already exists.
- job '8722' (2018-06-15 02:03) already exists.
- downloading 'http://www.sk.ee/juur/crl/' ...
index.html              [ <=>                ]  12.87K  --.-KB/s    in 0.01s
- unknown CRL file format 
'HTMLdocument,UTF-8Unicodetext,withCRLF,LFlineterminators'.
- job '8840' (2017-04-17 14:03->2017-10-11 07:38) created.
   url: http://www.e-szigno.hu/RootCA.crl
- job '8830' (2017-10-11 08:25) already exists.
- job '8725' (2018-02-08 16:04) already exists.
- job '8726' (2018-05-22 20:47) already exists.
- job '8727' (2018-05-22 20:50) already exists.
- job '8728' (2018-04-01 06:17) already exists.
- job '8839' (2017-10-14 05:13) already exists.
- job '8730' (2018-01-07 05:57) already exists.
- job '8731' (2018-05-22 20:53) already exists.
- job '8822' (2017-10-12 00:21) already exists.
- job '8838' (2017-10-13 22:24) already exists.
- job '8836' (2017-10-13 17:03) already exists.
- job '8832' (2017-10-11 17:03) already exists.
- job '8837' (2017-10-16 11:04) already exists.
- job '8835' (2017-10-13 01:34) already exists.
checking if a task for each at-job has been created ...
checking if remaining running tasks are CRL update tasks ...
updating hashes ...
finished.
Press ENTER to continue

> # /var/install/bin/certs-update-crl -single 
> http://crl.identrust.com/DSTROOTCAX3CRL.crl

Certificate revocation list (CRL) handling

- downloading 'http://crl.identrust.com/DSTROOTCAX3CRL.crl' ...
DSTROOTCAX3CRL.crl  100%[===================>]     896  --.-KB/s    in 0s
- converting CRL file to PEM format ...
- updating CRL list ...
- job '8808' (2017-10-27 18:12) already exists.
updating hashes ...
finished.
Press ENTER to continue


Für meine Laienaugen sieht das ganz OK aus. Aber wenn ich auf 
Verschlüsselte übertragung umstelle Sieht die Mailübertragung im Log so aus:

2017-10-11 07:41:59 1e29m7-0003Aj-91 <= stefan.heidrich at fam-heidrich.net 
H=localhost (www.fam-heidrich.net) [127.0.0.1] P=esmtpa 
A=fixed_cram:stefan.h S=1901 
id=0ec9cb19e0a2c65a66ed57f9bece8e01 at fam-heidrich.net
2017-10-11 07:42:00 1e29m7-0003Aj-91 [87.230.23.228] SSL verify error: 
depth=0 error=unable to get certificate CRL cert=/CN=mail.intersales.de
2017-10-11 07:42:00 1e29m7-0003Aj-91 H=mail.intersales.de 
[87.230.23.228]: SMTP error from remote mail server after : 334 UGFzc3dvcmQ6
2017-10-11 07:42:01 1e29m7-0003Aj-91 == stefan.heidrich at palux.de 
R=smart_route T=remote_smtp defer (0) H=mail.intersales.de 
[87.230.23.228]: SMTP error from remote mail server after : 334 UGFzc3dvcmQ6

Hat noch jemand Ideen was ich noch machen müsste?

Viele Grüße
Stefan

Mehr Informationen über die Mailingliste Eisfair