CheckTLS.com gives me a clean bill of health both sending and receiving.
The following give me a clean output as well:
openssl s_client -connect smtp.vintners.net:25 -starttls smtp
openssl verify -CAfile SSL_WILDCARD_CertificateAuthorityRoot.crt -untrusted ov_chain.crt STAR.VINTNERS.NET.crt
Different renditions of this all seem to give a "self-signed
certificate in certificate chain" for the first entry. I believe this
is expected as this is the beginning of the world. This is not the
error I'm seeing in the log
So I think I'm barking up the wrong tree. Let's try one of the
servers that's giving me trouble:
openssl s_client -cert STAR.VINTNERS.NET.crt -key star.vintners.net.key -CAfile ov_chain.crt -connect gmail.com:443
Yes! This is at least giving me the same error as I'm seeing in the
logs, so maybe this is what I need to work on.
I changed something, and managed to break things so that suddenly
every connection to the big guys gives me a "permission denied" error.
I spent hours trying to figure this out, putting everything back the
way I started - no go. I tried CheckTLS.com, and now it's showing
"tls not available"? Up 'til now I've been using my
'sendmail-restart' which is in essence a 'kill -HUP'. I then tried
a service sendmail stop
then start, and now CheckTLS is
working again! Fuck. So the moral of the story is to completely
stop/start sendmail, don't just try to restart.
I'm still seeing a mountain of delayed connections trying to retry and still getting "permission denied". I'm guessing that these were sent while things were "broken" and will continue to retry until they fail, as they think they should go without STARTTLS as it wasn't available when they were sent.
Nope - that wasn't it. I should have thought harder about the fact
that it was a "permission denied" error. I was assuming it was
related to sendmail trying to access one of the files I'd messed with.
Nope, it was the socket having the problem. openssl -connect commands
were failing with this error as well. Problem was I got trapped in my
own damn firewall. ipfw was blocking port25. I know I put the
"always allow" for this servers IP address into the ipfw config file,
now I gotta go figure out why that's not working. Fucking wasted day.
Fix:
ipfw table port25 del 207.229.65.53
Ok, so in the end, the fix I tried out but that got lost in the
firewall mess up, was very simple.
See STARTTLS howto for details, in a
nutshell the /etc/mail/[systemname].mc file, the confCACERT_PATH
should point to your /etc/ssl/certs
dir.
unable
to get local issuer certificate
error.cp SSL_WILDCARD_CerticateAuthorityRoot.crt ov_chain.crt
ov_chain.crt
/usr/local/etc/apache/Includes/httpd-ssl.conf
SSLCertificateFile
set to full path to the new STAR.VINTNERS.NET.crt fileSSLCACertificateChainFile
set to full path to this ov_chain.crtSSLCACertificateFile
set to full path to SSL_WILDCARD_CertificationAuthorityRoot.crt fileapachectl restart
/etc/mail/
[systemname].mc
/var/log/maillog
for errors./usr/local/etc/imapd
:tls_server_cert
- should match sendmail confSERVER_CERT
tls_server_key
- should match sendmail confSERVER_KEY
tls_server_ca_file
- should match sendmail confCACERT
tls_server_ca_dir
- should match sendmail CERT_DIR