Author: W B Hacker Date: To: exim users Subject: Re: [exim] TLS client disconnected cleanly (rejected our
certificate? ) - intermediate ssl certificate problem?
Arkadiusz Miskiewicz wrote: > On Friday 27 of May 2011, W B Hacker wrote:
>> W B Hacker wrote:
>>
>> Disregard last - Brain Fart - tested his posting address.
>>
>> Here is a run at postmaster@???
>>
>> No cert complaint not even one mentioned, but blocked for lack of smtp
>> auth.
>
> Hm, openssl s_client was able to verify certificates correctly, saw proper
> chain etc (Verify return code: 0 (ok)), so looks like exim is doing correct
> job after all.
Good news ... >
> So far got few reports from people using thunderbird 3.1.10 under windows
> about certs not being accepted. Could be that the bug is in thunderbird. Doing
> some testing with it.
Windows is not cooperating? Go figure...
Have we all been chasing non-Exim winbuggery?
;-)
Mostly SeaMonkey here. Not 100% same MUA code as T-bird. At all.
But it always JFW on *BSD, Linux, Mac.
Have noted that Firefox 4 and even late-edition of the last of 3.X have
gotten progressively pickier about our self-signed certs (for webmail).
Basically w/r NOT allowing just-anyone to make an exception 'permanent'
so presume T-bird doing much the same. (Depends on OTHER settings).
Doesn't find fault with the certs - just no built-in CA to vet it with.
2011-05-27 06:21:16 [9222] H=cm61-10-57-220.hkcable.com.hk
(loki0.triligon.to) [61.10.57.220]:50811 I=[203.194.153.81]:587 Warning:
H1 cm61-10-57-220.hkcable.com.hk 61.10.57.220 submission client
arriving on port 587 with smtp
2011-05-27 06:21:16 [9222] H=cm61-10-57-220.hkcable.com.hk
(loki0.triligon.to) [61.10.57.220]:50811 I=[203.194.153.81]:587 Warning:
R0 cm61-10-57-220.hkcable.com.hk 61.10.57.220 is authenticated using
esmtpsa
2011-05-27 06:21:16 [9222] R1 cm61-10-57-220.hkcable.com.hk
61.10.57.220 is one of ours using esmtpsa
=========
>
>> Bit unusual to require that of 'postmaster@', but I'll presume a bespoke
>> relay-only box, or simply still under construction?
>
> Not unusual for submission box (rfc4409).
>
>>> Bill Hacker
So long as all-hands are in a net you control, port 25 is fine.
Soon as someone moves office or house, or travels and finds traffic
'from any to any port 25' blocked outright or intercepted by/to the
uplink provider's OWN MTA ?