[postfix-users] Postfix TLS Forward Secrecy

Andreas Reschke via postfix-users postfix-users at de.postfix.org
Do Aug 15 20:07:59 CEST 2013 




Hallo zusammen,
bei mir sieht das so aus:


[root at mail ~]# openssl s_client -CAfile /etc/certs/rirasoft.crt
-starttls smtp -connect mail.rirasoft.de:25
CONNECTED(00000003)
depth=0 serialNumber = IZDjLkv72AEo8rSecWf7wiT3bzjQAzoP, C = DE, O =
www.rirasoft.de, OU = GT56989536, OU = See
www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated -
RapidSSL(R), CN = www.rirasoft.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = IZDjLkv72AEo8rSecWf7wiT3bzjQAzoP, C = DE, O =
www.rirasoft.de, OU = GT56989536, OU = See
www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated -
RapidSSL(R), CN = www.rirasoft.de
verify error:num=27:certificate not trusted
verify return:1
depth=0 serialNumber = IZDjLkv72AEo8rSecWf7wiT3bzjQAzoP, C = DE, O =
www.rirasoft.de, OU = GT56989536, OU = See
www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated -
RapidSSL(R), CN = www.rirasoft.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0
s:/serialNumber=IZDjLkv72AEo8rSecWf7wiT3bzjQAzoP/C=DE/O=www.rirasoft.de/OU=GT56989536/OU=See
www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated -
RapidSSL(R)/CN=www.rirasoft.de
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE2zCCA8OgAwIBAgIDAz5WMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwOTE5MTY1MDM3WhcNMTQwOTIyMTI1NzMwWjCB5TEpMCcGA1UEBRMgSVpE
akxrdjcyQUVvOHJTZWNXZjd3aVQzYnpqUUF6b1AxCzAJBgNVBAYTAkRFMRgwFgYD
VQQKEw93d3cucmlyYXNvZnQuZGUxEzARBgNVBAsTCkdUNTY5ODk1MzYxMTAvBgNV
BAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMgKGMpMTExLzAt
BgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlkU1NMKFIpMRgw
FgYDVQQDEw93d3cucmlyYXNvZnQuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCfGXltVNyBB2vp7Azft5wEZlwOu11i4pcSG1dfIuMjRMx2I5oWaVBU
OkEALaJDLZj8rGRrU9Pp7SMbPnrKCKeAozQsRuv2wBVGYXu7EVtNVZGJZFdR4SXi
+GFGR7sgEvdO3C9y3mhJVTaXpFgIBCCOVa/0Q25MFFADdmSXKL2MjaQYCmF4uRnt
RhARiVM1dswi/bi0wBVrUVVhn7Zi6Mg/nxEqZpfc9tZazMY1T7o8hzZiGEqiMR7o
//x1+yTTlq9sGSz20QcF92cnbUnqQbYRhJO0V3UDyoyE0JRajGYHziYIiV1HwVhP
UeLlxBwNgQGHE1axhSo9WRYOf35tMmjjAgMBAAGjggE6MIIBNjAfBgNVHSMEGDAW
gBRraT1qGEJK3Y8CZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMCcGA1UdEQQgMB6CD3d3dy5yaXJhc29mdC5k
ZYILcmlyYXNvZnQuZGUwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL3JhcGlkc3Ns
LWNybC5nZW90cnVzdC5jb20vY3Jscy9yYXBpZHNzbC5jcmwwHQYDVR0OBBYEFDfa
Qm03+c8EO//dZ0X0/qFJIDMnMAwGA1UdEwEB/wQCMAAwSQYIKwYBBQUHAQEEPTA7
MDkGCCsGAQUFBzAChi1odHRwOi8vcmFwaWRzc2wtYWlhLmdlb3RydXN0LmNvbS9y
YXBpZHNzbC5jcnQwDQYJKoZIhvcNAQEFBQADggEBADkmBmzkZoFl7ibB1UQTpzb1
0aPfmzMrEOTsegHkjHqlrFzPmWI+RULn65wNxZihUsANZNMcIgBXJy2MNK/OVaWM
d/VqFYr6eeP8B+wszsmL413V33JOP+5ZwsAWk7Ik1IJ50SDnBee2lIyLgvbwXC71
WLLyMCZYhdrgozXtzoY9vb6YIWG5892zmyUVUgAq4F8jdgZFzV5N+HyCB2xDfZFL
0iDVv2AqtAz7udOj71arEBsGF4PIG8k9RfubbrHm4N2Ef5Vrf5kGMXFxABSEhZNc
UO8Qo0w0Q5T63y9NXI8WkCNtlDoMox1V3wB85tVa9tuAZUJxKmLbhFkzhmwxqnU=
-----END CERTIFICATE-----
subject=/serialNumber=IZDjLkv72AEo8rSecWf7wiT3bzjQAzoP/C=DE/O=www.rirasoft.de/OU=GT56989536/OU=See
www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated -
RapidSSL(R)/CN=www.rirasoft.de
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 2291 bytes and written 345 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
1857A4CA89E4B7F4E60A00549E6E5F31E95BEC3EEBBB44ED1DF9CA92850BD467
    Session-ID-ctx:
    Master-Key:
6E305107B737E85CD36796591E42750976B4889EE80F7A9C867DE3839834D7FB609953B70C780B3A809D3D13EA37C934
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 4a 49 24 17 74 92 68 a5-1c 60 d5 fc 0f 77 dd 47
JI$.t.h..`...w.G
    0010 - 26 03 fc 4f 11 76 cd 06-e6 84 cb 34 2b ac e7 2e
&..O.v.....4+...
    0020 - 9b a7 76 96 99 9e 36 ac-62 52 02 ed 78 70 d1 4c
..v...6.bR..xp.L
    0030 - 2a bb a1 95 ae 1d 54 d4-86 e9 b6 78 e8 58 18 84
*.....T....x.X..
    0040 - 76 12 de 13 82 36 41 09-a4 a5 cd 2d 53 ca a0 5e
v....6A....-S..^
    0050 - 67 63 96 22 0a b5 d8 18-0e 76 f0 a6 6f 28 e3 eb
gc.".....v..o(..
    0060 - b2 2e f4 a5 a5 05 62 da-c7 00 22 51 a3 84 47 8a
......b..."Q..G.
    0070 - d8 37 23 1b 42 73 bf fe-70 b1 28 e1 36 24 9e 1e
.7#.Bs..p.(.6$..
    0080 - c8 30 67 87 ae e6 e5 56-05 aa 71 3b bc a1 3b ec
.0g....V..q;..;.
    0090 - af 64 63 c5 c7 cf c1 60-54 53 9f 9b 62 b5 cd 5a
.dc....`TS..b..Z

    Start Time: 1376589608
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
250 DSN


Habe ich damit Postfix TLS Forward Secrecy richtig konfiguriert?

Gruß
Andreas

Mehr Informationen über die Mailingliste postfix-users