[postfix-es] [Gmail] Error enviando a gmail: certificate verification failed
angel jauregui
darkdiabliyo en gmail.com
Vie Mayo 22 19:52:14 CEST 2015
Lo que esta originalmente en "cacert.pem" es un certificado generado y
firmado por mi mismo.
El de "Equifax" lo descargue....
Saludos !
El 22 de mayo de 2015, 11:41, Rodrigo Nicolas Gliksberg Diaz <
xdieamd en gmail.com> escribió:
> TIene que ser vaidado por una entidad Valida y autorizada, si lo firmas
> vos no tiene sentido, cualquiera hace se Certifica
>
> El 22 de mayo de 2015, 13:27, Guido Ignacio <guidoignacio en gmail.com>
> escribió:
>
>> Pero ese certificado no fue creado para tu servidor, por ej tu
>> servidor está en C=US ?? Debes crear tu propio CA primero
>>
>>
>>
>> 2015-05-22 11:57 GMT-03:00 angel jauregui <darkdiabliyo en gmail.com>:
>> > @Ignacio Ya lo indique en mi ultimo mensaje
>> > @Alberto Perto mi problema es que postfix no resuelve el host y no
>> valida el
>> > certificado, el DKIM ya es otro rollo que no quiero tocar para evitar
>> perder
>> > el tema.
>> >
>> > Parte de maillog dice:
>> >
>> > May 21 08:21:02 dixy postfix/smtp[6424]: connect to
>> > gmail-smtp-in.l.google.com[2607:f8b0:4001:c0c::1a]:25: Connection
>> timed out
>> > May 21 08:21:02 dixy postfix/smtp[6424]: certificate verification
>> failed for
>> > gmail-smtp-in.l.google.com[64.233.191.26]:25: untrusted issuer
>> > /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>> >
>> > El certiifcado EQUIFAX lo baje de:
>> >
>> https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.pem
>> >
>> > Despues lo meti a mi cacert.pem asi:
>> >
>> > shell# cat equifax.pem >> cacert.pem
>> > shell# /etc/init.d/postfix restart
>> >
>> > Saludos !
>> >
>> > El 22 de mayo de 2015, 9:43, Guido Ignacio <guidoignacio en gmail.com>
>> > escribió:
>> >>
>> >> mostranos como generaste tu certificado....viene por ahi el problema
>> >>
>> >> 2015-05-22 11:37 GMT-03:00 angel jauregui <darkdiabliyo en gmail.com>:
>> >> > Este me baje:
>> >> >
>> >> >
>> https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.pem
>> >> >
>> >> > Saludos !
>> >> >
>> >> > El 22 de mayo de 2015, 6:19, Guido Ignacio <guidoignacio en gmail.com>
>> >> > escribió:
>> >> >>
>> >> >> Como generaste el certificado?
>> >> >>
>> >> >> El día 21 de mayo de 2015, 20:15, angel jauregui
>> >> >> <darkdiabliyo en gmail.com> escribió:
>> >> >> > Leyendo por auqi y por haya me encontre sobre meterle el PEM de
>> >> >> > Equifax
>> >> >> > y
>> >> >> > otro proveedor al "cacert.pem" que ya tengo existente en
>> >> >> > /etc/postfix/ssl/,
>> >> >> > pero ya lo hice y aun asi me saltan los errores de:
>> >> >> >
>> >> >> > May 21 08:21:02 dixy postfix/smtp[6424]: connect to
>> >> >> > gmail-smtp-in.l.google.com[2607:f8b0:4001:c0c::1a]:25: Connection
>> >> >> > timed
>> >> >> > out
>> >> >> > May 21 08:21:02 dixy postfix/smtp[6424]: certificate verification
>> >> >> > failed
>> >> >> > for
>> >> >> > gmail-smtp-in.l.google.com[64.233.191.26]:25: untrusted issuer
>> >> >> > /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>> >> >> >
>> >> >> > La config. de mi psotfix para la carga de tls no creo sea el
>> >> >> > problema,
>> >> >> > aun
>> >> >> > asi la pongo:
>> >> >> >
>> >> >> > shell# cat /etc/postfix/main.cfg |grep tls
>> >> >> > smtpd_tls_auth_only = no
>> >> >> > smtp_use_tls = yes
>> >> >> > smtpd_use_tls = yes
>> >> >> > smtp_tls_note_starttls_offer = yes
>> >> >> > smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem
>> >> >> > # smtp_tls_security_level = may
>> >> >> > # smtpd_tls_security_level = may
>> >> >> > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
>> >> >> > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
>> >> >> > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
>> >> >> > smtpd_tls_loglevel = 1
>> >> >> > smtpd_tls_received_header = yes
>> >> >> > smtpd_tls_session_cache_timeout = 3600s
>> >> >> > tls_random_source = dev:/dev/urandom
>> >> >> >
>> >> >> >
>> >> >> > Alguna idea ?
>> >> >> >
>> >> >> > Saludos !
>> >> >> >
>> >> >> >
>> >> >> > El 21 de mayo de 2015, 10:20, angel jauregui <
>> darkdiabliyo en gmail.com>
>> >> >> > escribió:
>> >> >> >>
>> >> >> >> En mi iptables tengo los puertos: 25, 114, 587, 995 y 993
>> >> >> >> habilitados
>> >> >> >> para
>> >> >> >> que mis IPs Fijas puedan conectarse a los puertos, para los demas
>> >> >> >> los
>> >> >> >> puertos estan DROP.
>> >> >> >>
>> >> >> >> Nose si eso influya para que el error de verificacion aparezca ?
>> >> >> >>
>> >> >> >> Slaudos !
>> >> >> >>
>> >> >> >> El 21 de mayo de 2015, 8:33, angel jauregui <
>> darkdiabliyo en gmail.com>
>> >> >> >> escribió:
>> >> >> >>>
>> >> >> >>> Buen día.
>> >> >> >>>
>> >> >> >>> Me monte un servidor de correos postfix que de momento solo lo
>> >> >> >>> quiero
>> >> >> >>> para hacerla de SMTP, no quiero alojar cuentas que reciban.
>> >> >> >>>
>> >> >> >>> De modo que tras configurar postfix, habilitar la reescritura
>> >> >> >>> (generic),
>> >> >> >>> securizarlo que solo responda a conexiones de mis IPs Fijas y
>> dando
>> >> >> >>> de
>> >> >> >>> alta
>> >> >> >>> la única cuenta (noreplay@), hice una prueba enviándome un
>> correo.
>> >> >> >>>
>> >> >> >>> En el log de mi postfix, salio esto:
>> >> >> >>>
>> >> >> >>> Denoto que existe problemas con el DKIM ya que cuando recibí el
>> >> >> >>> mail
>> >> >> >>> en
>> >> >> >>> SPAM no vi la firma, pero lo que de momento me tiene mas con la
>> >> >> >>> duda
>> >> >> >>> es la
>> >> >> >>> linea de certificate verification failed.
>> >> >> >>>
>> >> >> >>> shell# tail -f /var/log/maillog
>> >> >> >>> May 21 08:20:02 dixy postfix/smtpd[6391]: connect from
>> >> >> >>> mail.midominio.com[1.2.3.4]
>> >> >> >>> May 21 08:20:32 dixy postfix/smtpd[6391]: warning: connect to
>> >> >> >>> Milter
>> >> >> >>> service inet:localhost:8891: Connection timed out
>> >> >> >>> May 21 08:20:32 dixy postfix/smtpd[6391]: 2F87C2208E8:
>> >> >> >>> client=mail.midominio.com[1.2.3.4], sasl_method=PLAIN,
>> >> >> >>> sasl_username=noreplay
>> >> >> >>> May 21 08:20:32 dixy postfix/cleanup[6423]: 2F87C2208E8:
>> >> >> >>> message-id=<20150521132001.B45C02E0B10 en megatron.crver.net>
>> >> >> >>> May 21 08:20:32 dixy postfix/qmgr[30773]: 2F87C2208E8:
>> >> >> >>> from=<noreplay en mail.miservidorweb.com>, size=289038, nrcpt=1
>> (queue
>> >> >> >>> active)
>> >> >> >>> May 21 08:20:32 dixy postfix/smtpd[6391]: disconnect from
>> >> >> >>> mail.midominio.com[1.2.3.4]
>> >> >> >>> May 21 08:21:02 dixy postfix/smtp[6424]: connect to
>> >> >> >>> gmail-smtp-in.l.google.com[2607:f8b0:4001:c0c::1a]:25:
>> Connection
>> >> >> >>> timed out
>> >> >> >>> May 21 08:21:02 dixy postfix/smtp[6424]: certificate
>> verification
>> >> >> >>> failed
>> >> >> >>> for gmail-smtp-in.l.google.com[64.233.191.26]:25: untrusted
>> issuer
>> >> >> >>> /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>> >> >> >>> May 21 08:21:03 dixy postfix/smtp[6424]: 2F87C2208E8:
>> >> >> >>> to=<darkdiabliyo en gmail.com>,
>> >> >> >>> relay=gmail-smtp-in.l.google.com[64.233.191.26]:25, delay=32,
>> >> >> >>> delays=0.09/0.01/30/1.3, dsn=2.0.0, status=sent (250 2.0.0 OK
>> >> >> >>> 1432214463
>> >> >> >>> r41si1516073ioi.30 - gsmtp)
>> >> >> >>> May 21 08:21:03 dixy postfix/qmgr[30773]: 2F87C2208E8: removed
>> >> >> >>>
>> >> >> >>> Saludos !
>> >> >> >>>
>> >> >> >>> --
>> >> >> >>> M.S.I. Angel Haniel Cantu Jauregui.
>> >> >> >>>
>> >> >> >>> Celular: (011-52-1)-899-871-17-22
>> >> >> >>> E-Mail: angel.cantu en sie-group.net
>> >> >> >>> Web: http://www.sie-group.net/
>> >> >> >>> Cd. Reynosa Tamaulipas.
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> --
>> >> >> >> M.S.I. Angel Haniel Cantu Jauregui.
>> >> >> >>
>> >> >> >> Celular: (011-52-1)-899-871-17-22
>> >> >> >> E-Mail: angel.cantu en sie-group.net
>> >> >> >> Web: http://www.sie-group.net/
>> >> >> >> Cd. Reynosa Tamaulipas.
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > M.S.I. Angel Haniel Cantu Jauregui.
>> >> >> >
>> >> >> > Celular: (011-52-1)-899-871-17-22
>> >> >> > E-Mail: angel.cantu en sie-group.net
>> >> >> > Web: http://www.sie-group.net/
>> >> >> > Cd. Reynosa Tamaulipas.
>> >> >> >
>> >> >> > _______________________________________________
>> >> >> > List de correo postfix-es para tratar temas del MTA postfix en
>> >> >> > español
>> >> >> > postfix-es en lists.wl0.org
>> >> >> > http://lists.wl0.org/mailman/listinfo/postfix-es
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > M.S.I. Angel Haniel Cantu Jauregui.
>> >> >
>> >> > Celular: (011-52-1)-899-871-17-22
>> >> > E-Mail: angel.cantu en sie-group.net
>> >> > Web: http://www.sie-group.net/
>> >> > Cd. Reynosa Tamaulipas.
>> >
>> >
>> >
>> >
>> > --
>> > M.S.I. Angel Haniel Cantu Jauregui.
>> >
>> > Celular: (011-52-1)-899-871-17-22
>> > E-Mail: angel.cantu en sie-group.net
>> > Web: http://www.sie-group.net/
>> > Cd. Reynosa Tamaulipas.
>> _______________________________________________
>> List de correo postfix-es para tratar temas del MTA postfix en español
>> postfix-es en lists.wl0.org
>> http://lists.wl0.org/mailman/listinfo/postfix-es
>>
>
>
--
M.S.I. Angel Haniel Cantu Jauregui.
Celular: (011-52-1)-899-871-17-22
E-Mail: angel.cantu en sie-group.net
Web: http://www.sie-group.net/
Cd. Reynosa Tamaulipas.
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <http://lists.wl0.org/pipermail/postfix-es/attachments/20150522/6578243e/attachment-0001.html>
Más información sobre la lista de distribución postfix-es