Hallo zusammen, bei mir sieht das so aus:
[root@mail ~]# openssl s_client -CAfile /etc/certs/rirasoft.crt -starttls smtp -connect mail.rirasoft.de:25 CONNECTED(00000003) depth=0 serialNumber = IZDjLkv72AEo8rSecWf7wiT3bzjQAzoP, C = DE, O = www.rirasoft.de, OU = GT56989536, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - RapidSSL(R), CN = www.rirasoft.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 serialNumber = IZDjLkv72AEo8rSecWf7wiT3bzjQAzoP, C = DE, O = www.rirasoft.de, OU = GT56989536, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - RapidSSL(R), CN = www.rirasoft.de verify error:num=27:certificate not trusted verify return:1 depth=0 serialNumber = IZDjLkv72AEo8rSecWf7wiT3bzjQAzoP, C = DE, O = www.rirasoft.de, OU = GT56989536, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - RapidSSL(R), CN = www.rirasoft.de verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/serialNumber=IZDjLkv72AEo8rSecWf7wiT3bzjQAzoP/C=DE/O=www.rirasoft.de/OU=GT56989536/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=www.rirasoft.de i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA --- Server certificate -----BEGIN CERTIFICATE----- MIIE2zCCA8OgAwIBAgIDAz5WMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew HhcNMTEwOTE5MTY1MDM3WhcNMTQwOTIyMTI1NzMwWjCB5TEpMCcGA1UEBRMgSVpE akxrdjcyQUVvOHJTZWNXZjd3aVQzYnpqUUF6b1AxCzAJBgNVBAYTAkRFMRgwFgYD VQQKEw93d3cucmlyYXNvZnQuZGUxEzARBgNVBAsTCkdUNTY5ODk1MzYxMTAvBgNV BAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMgKGMpMTExLzAt BgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlkU1NMKFIpMRgw FgYDVQQDEw93d3cucmlyYXNvZnQuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQCfGXltVNyBB2vp7Azft5wEZlwOu11i4pcSG1dfIuMjRMx2I5oWaVBU OkEALaJDLZj8rGRrU9Pp7SMbPnrKCKeAozQsRuv2wBVGYXu7EVtNVZGJZFdR4SXi +GFGR7sgEvdO3C9y3mhJVTaXpFgIBCCOVa/0Q25MFFADdmSXKL2MjaQYCmF4uRnt RhARiVM1dswi/bi0wBVrUVVhn7Zi6Mg/nxEqZpfc9tZazMY1T7o8hzZiGEqiMR7o //x1+yTTlq9sGSz20QcF92cnbUnqQbYRhJO0V3UDyoyE0JRajGYHziYIiV1HwVhP UeLlxBwNgQGHE1axhSo9WRYOf35tMmjjAgMBAAGjggE6MIIBNjAfBgNVHSMEGDAW gBRraT1qGEJK3Y8CZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw FAYIKwYBBQUHAwEGCCsGAQUFBwMCMCcGA1UdEQQgMB6CD3d3dy5yaXJhc29mdC5k ZYILcmlyYXNvZnQuZGUwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL3JhcGlkc3Ns LWNybC5nZW90cnVzdC5jb20vY3Jscy9yYXBpZHNzbC5jcmwwHQYDVR0OBBYEFDfa Qm03+c8EO//dZ0X0/qFJIDMnMAwGA1UdEwEB/wQCMAAwSQYIKwYBBQUHAQEEPTA7 MDkGCCsGAQUFBzAChi1odHRwOi8vcmFwaWRzc2wtYWlhLmdlb3RydXN0LmNvbS9y YXBpZHNzbC5jcnQwDQYJKoZIhvcNAQEFBQADggEBADkmBmzkZoFl7ibB1UQTpzb1 0aPfmzMrEOTsegHkjHqlrFzPmWI+RULn65wNxZihUsANZNMcIgBXJy2MNK/OVaWM d/VqFYr6eeP8B+wszsmL413V33JOP+5ZwsAWk7Ik1IJ50SDnBee2lIyLgvbwXC71 WLLyMCZYhdrgozXtzoY9vb6YIWG5892zmyUVUgAq4F8jdgZFzV5N+HyCB2xDfZFL 0iDVv2AqtAz7udOj71arEBsGF4PIG8k9RfubbrHm4N2Ef5Vrf5kGMXFxABSEhZNc UO8Qo0w0Q5T63y9NXI8WkCNtlDoMox1V3wB85tVa9tuAZUJxKmLbhFkzhmwxqnU= -----END CERTIFICATE----- subject=/serialNumber=IZDjLkv72AEo8rSecWf7wiT3bzjQAzoP/C=DE/O=www.rirasoft.de/OU=GT56989536/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=www.rirasoft.de issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA --- No client certificate CA names sent --- SSL handshake has read 2291 bytes and written 345 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 1857A4CA89E4B7F4E60A00549E6E5F31E95BEC3EEBBB44ED1DF9CA92850BD467 Session-ID-ctx: Master-Key: 6E305107B737E85CD36796591E42750976B4889EE80F7A9C867DE3839834D7FB609953B70C780B3A809D3D13EA37C934 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - 4a 49 24 17 74 92 68 a5-1c 60 d5 fc 0f 77 dd 47 JI$.t.h..`...w.G 0010 - 26 03 fc 4f 11 76 cd 06-e6 84 cb 34 2b ac e7 2e &..O.v.....4+... 0020 - 9b a7 76 96 99 9e 36 ac-62 52 02 ed 78 70 d1 4c ..v...6.bR..xp.L 0030 - 2a bb a1 95 ae 1d 54 d4-86 e9 b6 78 e8 58 18 84 *.....T....x.X.. 0040 - 76 12 de 13 82 36 41 09-a4 a5 cd 2d 53 ca a0 5e v....6A....-S..^ 0050 - 67 63 96 22 0a b5 d8 18-0e 76 f0 a6 6f 28 e3 eb gc.".....v..o(.. 0060 - b2 2e f4 a5 a5 05 62 da-c7 00 22 51 a3 84 47 8a ......b..."Q..G. 0070 - d8 37 23 1b 42 73 bf fe-70 b1 28 e1 36 24 9e 1e .7#.Bs..p.(.6$.. 0080 - c8 30 67 87 ae e6 e5 56-05 aa 71 3b bc a1 3b ec .0g....V..q;..;. 0090 - af 64 63 c5 c7 cf c1 60-54 53 9f 9b 62 b5 cd 5a .dc....`TS..b..Z
Start Time: 1376589608 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- 250 DSN
Habe ich damit Postfix TLS Forward Secrecy richtig konfiguriert?
Gruß Andreas