Mail server sending to postfix refusing TLS connection with "certificate expired", but it's not

Question

Since April 30, I'm seeing errors like that in my mail log:

May  1 02:27:27 afaron postfix/smtpd[2644268]: connect from r137.info.hofer.at[66.117.17.137]
May  1 02:27:27 afaron postfix/smtpd[2644268]: SSL_accept error from r137.info.hofer.at[66.117.17.137]: -1
May  1 02:27:27 afaron postfix/smtpd[2644268]: warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1543:SSL alert number 45:
May  1 02:27:27 afaron postfix/smtpd[2644268]: lost connection after STARTTLS from r137.info.hofer.at[66.117.17.137]
May  1 02:27:27 afaron postfix/smtpd[2644268]: disconnect from r137.info.hofer.at[66.117.17.137] ehlo=1 starttls=0/1 commands=1/2

As far as I can grasp it, r137.info.hofer.at[66.117.17.137] refuses to send mail to my server, because it claims my SSL certificate would be expired.

I use a letsencrypt certificate. I double-checked if the latest one is actually used by postfix, and it is. It's not expired. I even tried to force-update the cert, but the errors re-appeared. When I run openssl s_client -starttls smtp -showcerts -connect mail.l3u.de:25 -servername mail.l3u.de, I get a valid TLS session ticket.

Until now, r137.info.hofer.at[66.117.17.137] is the only mail server complaining. Im tried send mail from and to gmx.de, web.de, t-online.de, gmail.com, yahoo.com and outlook.de. All without a problem, both sending and receiving.

How can I track this down? Can this be some local problem due to some outdated cert in the chain of trust for my sertificate on my server? And how can I find it? Or is this a remote problem?

What’s the time on the sending server? Can it validate other certificates? — tilleyc, May 01 '22 at 18:50
It's not my server, so I can't tell if it has issues with other servers … — Tobias Leupold, May 01 '22 at 19:46
Why does your openssl test mention `-servername`, does your server present different certificates when receiving SNI? — anx, May 01 '22 at 20:44
I just copied this from some Google search on how to test if a mail server's TLS will work ;-) — Tobias Leupold, May 01 '22 at 20:57
Just for the sake of completeness: It works as well with openssl s_client -starttls smtp -showcerts -connect mail.l3u.de:25 — Tobias Leupold, May 01 '22 at 22:05

Tobias Leupold · Accepted Answer · 2022-05-01T22:06:57.933

1

I'm not perfectly sure, but I think I know what's going on now.

The remote side seems to use an outdated version of OpenSSL, which chokes on letsencrypt's cross-signature of the (expired) DST Root CA X3 certificate.

I requested a new certificate using certbot with --preferred-chain "ISRG Root X1" set (of course also restarted postfix ;-) and after that, the server in question talked to my server again.

edited May 01 '22 at 22:06

answered May 01 '22 at 21:04

Tobias Leupold

131
7

Mail server sending to postfix refusing TLS connection with "certificate expired", but it's not

1 Answers1