[postfix-es] [Gmail] Error enviando a gmail: certificate verification failed
Guido Ignacio
guidoignacio en gmail.com
Vie Mayo 22 18:27:18 CEST 2015
Pero ese certificado no fue creado para tu servidor, por ej tu
servidor está en C=US ?? Debes crear tu propio CA primero
2015-05-22 11:57 GMT-03:00 angel jauregui <darkdiabliyo en gmail.com>:
> @Ignacio Ya lo indique en mi ultimo mensaje
> @Alberto Perto mi problema es que postfix no resuelve el host y no valida el
> certificado, el DKIM ya es otro rollo que no quiero tocar para evitar perder
> el tema.
>
> Parte de maillog dice:
>
> May 21 08:21:02 dixy postfix/smtp[6424]: connect to
> gmail-smtp-in.l.google.com[2607:f8b0:4001:c0c::1a]:25: Connection timed out
> May 21 08:21:02 dixy postfix/smtp[6424]: certificate verification failed for
> gmail-smtp-in.l.google.com[64.233.191.26]:25: untrusted issuer
> /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>
> El certiifcado EQUIFAX lo baje de:
> https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.pem
>
> Despues lo meti a mi cacert.pem asi:
>
> shell# cat equifax.pem >> cacert.pem
> shell# /etc/init.d/postfix restart
>
> Saludos !
>
> El 22 de mayo de 2015, 9:43, Guido Ignacio <guidoignacio en gmail.com>
> escribió:
>>
>> mostranos como generaste tu certificado....viene por ahi el problema
>>
>> 2015-05-22 11:37 GMT-03:00 angel jauregui <darkdiabliyo en gmail.com>:
>> > Este me baje:
>> >
>> > https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.pem
>> >
>> > Saludos !
>> >
>> > El 22 de mayo de 2015, 6:19, Guido Ignacio <guidoignacio en gmail.com>
>> > escribió:
>> >>
>> >> Como generaste el certificado?
>> >>
>> >> El día 21 de mayo de 2015, 20:15, angel jauregui
>> >> <darkdiabliyo en gmail.com> escribió:
>> >> > Leyendo por auqi y por haya me encontre sobre meterle el PEM de
>> >> > Equifax
>> >> > y
>> >> > otro proveedor al "cacert.pem" que ya tengo existente en
>> >> > /etc/postfix/ssl/,
>> >> > pero ya lo hice y aun asi me saltan los errores de:
>> >> >
>> >> > May 21 08:21:02 dixy postfix/smtp[6424]: connect to
>> >> > gmail-smtp-in.l.google.com[2607:f8b0:4001:c0c::1a]:25: Connection
>> >> > timed
>> >> > out
>> >> > May 21 08:21:02 dixy postfix/smtp[6424]: certificate verification
>> >> > failed
>> >> > for
>> >> > gmail-smtp-in.l.google.com[64.233.191.26]:25: untrusted issuer
>> >> > /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>> >> >
>> >> > La config. de mi psotfix para la carga de tls no creo sea el
>> >> > problema,
>> >> > aun
>> >> > asi la pongo:
>> >> >
>> >> > shell# cat /etc/postfix/main.cfg |grep tls
>> >> > smtpd_tls_auth_only = no
>> >> > smtp_use_tls = yes
>> >> > smtpd_use_tls = yes
>> >> > smtp_tls_note_starttls_offer = yes
>> >> > smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem
>> >> > # smtp_tls_security_level = may
>> >> > # smtpd_tls_security_level = may
>> >> > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
>> >> > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
>> >> > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
>> >> > smtpd_tls_loglevel = 1
>> >> > smtpd_tls_received_header = yes
>> >> > smtpd_tls_session_cache_timeout = 3600s
>> >> > tls_random_source = dev:/dev/urandom
>> >> >
>> >> >
>> >> > Alguna idea ?
>> >> >
>> >> > Saludos !
>> >> >
>> >> >
>> >> > El 21 de mayo de 2015, 10:20, angel jauregui <darkdiabliyo en gmail.com>
>> >> > escribió:
>> >> >>
>> >> >> En mi iptables tengo los puertos: 25, 114, 587, 995 y 993
>> >> >> habilitados
>> >> >> para
>> >> >> que mis IPs Fijas puedan conectarse a los puertos, para los demas
>> >> >> los
>> >> >> puertos estan DROP.
>> >> >>
>> >> >> Nose si eso influya para que el error de verificacion aparezca ?
>> >> >>
>> >> >> Slaudos !
>> >> >>
>> >> >> El 21 de mayo de 2015, 8:33, angel jauregui <darkdiabliyo en gmail.com>
>> >> >> escribió:
>> >> >>>
>> >> >>> Buen día.
>> >> >>>
>> >> >>> Me monte un servidor de correos postfix que de momento solo lo
>> >> >>> quiero
>> >> >>> para hacerla de SMTP, no quiero alojar cuentas que reciban.
>> >> >>>
>> >> >>> De modo que tras configurar postfix, habilitar la reescritura
>> >> >>> (generic),
>> >> >>> securizarlo que solo responda a conexiones de mis IPs Fijas y dando
>> >> >>> de
>> >> >>> alta
>> >> >>> la única cuenta (noreplay@), hice una prueba enviándome un correo.
>> >> >>>
>> >> >>> En el log de mi postfix, salio esto:
>> >> >>>
>> >> >>> Denoto que existe problemas con el DKIM ya que cuando recibí el
>> >> >>> mail
>> >> >>> en
>> >> >>> SPAM no vi la firma, pero lo que de momento me tiene mas con la
>> >> >>> duda
>> >> >>> es la
>> >> >>> linea de certificate verification failed.
>> >> >>>
>> >> >>> shell# tail -f /var/log/maillog
>> >> >>> May 21 08:20:02 dixy postfix/smtpd[6391]: connect from
>> >> >>> mail.midominio.com[1.2.3.4]
>> >> >>> May 21 08:20:32 dixy postfix/smtpd[6391]: warning: connect to
>> >> >>> Milter
>> >> >>> service inet:localhost:8891: Connection timed out
>> >> >>> May 21 08:20:32 dixy postfix/smtpd[6391]: 2F87C2208E8:
>> >> >>> client=mail.midominio.com[1.2.3.4], sasl_method=PLAIN,
>> >> >>> sasl_username=noreplay
>> >> >>> May 21 08:20:32 dixy postfix/cleanup[6423]: 2F87C2208E8:
>> >> >>> message-id=<20150521132001.B45C02E0B10 en megatron.crver.net>
>> >> >>> May 21 08:20:32 dixy postfix/qmgr[30773]: 2F87C2208E8:
>> >> >>> from=<noreplay en mail.miservidorweb.com>, size=289038, nrcpt=1 (queue
>> >> >>> active)
>> >> >>> May 21 08:20:32 dixy postfix/smtpd[6391]: disconnect from
>> >> >>> mail.midominio.com[1.2.3.4]
>> >> >>> May 21 08:21:02 dixy postfix/smtp[6424]: connect to
>> >> >>> gmail-smtp-in.l.google.com[2607:f8b0:4001:c0c::1a]:25: Connection
>> >> >>> timed out
>> >> >>> May 21 08:21:02 dixy postfix/smtp[6424]: certificate verification
>> >> >>> failed
>> >> >>> for gmail-smtp-in.l.google.com[64.233.191.26]:25: untrusted issuer
>> >> >>> /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>> >> >>> May 21 08:21:03 dixy postfix/smtp[6424]: 2F87C2208E8:
>> >> >>> to=<darkdiabliyo en gmail.com>,
>> >> >>> relay=gmail-smtp-in.l.google.com[64.233.191.26]:25, delay=32,
>> >> >>> delays=0.09/0.01/30/1.3, dsn=2.0.0, status=sent (250 2.0.0 OK
>> >> >>> 1432214463
>> >> >>> r41si1516073ioi.30 - gsmtp)
>> >> >>> May 21 08:21:03 dixy postfix/qmgr[30773]: 2F87C2208E8: removed
>> >> >>>
>> >> >>> Saludos !
>> >> >>>
>> >> >>> --
>> >> >>> M.S.I. Angel Haniel Cantu Jauregui.
>> >> >>>
>> >> >>> Celular: (011-52-1)-899-871-17-22
>> >> >>> E-Mail: angel.cantu en sie-group.net
>> >> >>> Web: http://www.sie-group.net/
>> >> >>> Cd. Reynosa Tamaulipas.
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> M.S.I. Angel Haniel Cantu Jauregui.
>> >> >>
>> >> >> Celular: (011-52-1)-899-871-17-22
>> >> >> E-Mail: angel.cantu en sie-group.net
>> >> >> Web: http://www.sie-group.net/
>> >> >> Cd. Reynosa Tamaulipas.
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > M.S.I. Angel Haniel Cantu Jauregui.
>> >> >
>> >> > Celular: (011-52-1)-899-871-17-22
>> >> > E-Mail: angel.cantu en sie-group.net
>> >> > Web: http://www.sie-group.net/
>> >> > Cd. Reynosa Tamaulipas.
>> >> >
>> >> > _______________________________________________
>> >> > List de correo postfix-es para tratar temas del MTA postfix en
>> >> > español
>> >> > postfix-es en lists.wl0.org
>> >> > http://lists.wl0.org/mailman/listinfo/postfix-es
>> >
>> >
>> >
>> >
>> > --
>> > M.S.I. Angel Haniel Cantu Jauregui.
>> >
>> > Celular: (011-52-1)-899-871-17-22
>> > E-Mail: angel.cantu en sie-group.net
>> > Web: http://www.sie-group.net/
>> > Cd. Reynosa Tamaulipas.
>
>
>
>
> --
> M.S.I. Angel Haniel Cantu Jauregui.
>
> Celular: (011-52-1)-899-871-17-22
> E-Mail: angel.cantu en sie-group.net
> Web: http://www.sie-group.net/
> Cd. Reynosa Tamaulipas.
Más información sobre la lista de distribución postfix-es