Mailing List Archive: SSL verify error: An error I thought harmless

SSL verify error: An error I thought harmless

exim-users at exim

Apr 26, 2022, 7:47 AM

Post #1 of 8 (499 views)

Hi, folks,

I'm trying to understand why an error is sending mail to our
quarantine server.

Our routing is a little odd: In this specific case, mail goes from the
user to Google SMTP, where it is routed back to our inbound SMTP server.
Normally that server would route it to our LISTSERV server, which would
then process the mail. However, what I'm actually seeing happen in the logs
is mail being routed to our quarantine server:

2022-04-25 08:49:02 1niz5K-0003V5-8b <= <> H=mail-pf1-f199.google.com
[209.85.210.199] P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no K
S=131877 id=6266A6CA.0A40BC.01172@163mx43.163.com

2022-04-25 08:49:02 1niz5K-0003V5-8b [our mail quarantine node's IP
address] SSL verify error: depth=0 error=self signed certificate
cert=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=
quarantinenode.ualr.edu/emailAddress=root@quarantinenode.ualr.edu

2022-04-25 08:49:02 1niz5K-0003V5-8b [our mail quarantine node's IP
address] SSL verify error: depth=0 error=certificate has expired
cert=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=
quarantinenode.ualr.edu/emailAddress=root@quarantinenode.ualr.edu

2022-04-25 08:49:02 1niz5K-0003V5-8b => a-local-address@ualr.edu
R=quarantine T=remote_smtp H=quarantinenode.ualr.edu [our mail quarantine
node's IP address] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no K C="250-
130368 byte chunk, total 134166\\n250 OK id=1niz5K-000BpD-Dx"

2022-04-25 08:49:02 1niz5K-0003V5-8b Completed

I'm trying to understand this log excerpt. What exactly is triggering
the R=quarantine flag?

Thanks,

John A

--
John Adams
Senior Linux/Middleware Administrator | Information Technology Services
+1-501-916-3010 | jxadams@ualr.edu | http://ualr.edu/itservices
*UA Little Rock*

Reminder: IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts. For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: SSL verify error: An error I thought harmless [ In reply to ]

exim-users at exim

Apr 26, 2022, 8:03 AM

Post #2 of 8 (499 views)

On 26/04/2022 15:47, Johnnie W Adams via Exim-users wrote:
> What exactly is triggering
> the R=quarantine flag?

That is the router that accepted the message and handed it to a transport.

Why that one? This depends on the definition of your chain of routers,
in your configuration.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: SSL verify error: An error I thought harmless [ In reply to ]

exim-users at exim

Apr 26, 2022, 8:36 AM

Post #3 of 8 (499 views)

That's helpful! Let me ask a more focused question: Does this mean my
cert/key combo on this node is bad? That's the path I'm going down right
now.

On Tue, Apr 26, 2022 at 10:09 AM Jeremy Harris via Exim-users <
exim-users@exim.org> wrote:

> On 26/04/2022 15:47, Johnnie W Adams via Exim-users wrote:
> > What exactly is triggering
> > the R=quarantine flag?
>
> That is the router that accepted the message and handed it to a transport.
>
> Why that one? This depends on the definition of your chain of routers,
> in your configuration.
> --
> Cheers,
> Jeremy
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>

--
John Adams
Senior Linux/Middleware Administrator | Information Technology Services
+1-501-916-3010 | jxadams@ualr.edu | http://ualr.edu/itservices
*UA Little Rock*

Reminder: IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts. For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: SSL verify error: An error I thought harmless [ In reply to ]

exim-users at exim

Apr 26, 2022, 8:45 AM

Post #4 of 8 (499 views)

On 26/04/2022 16:36, Johnnie W Adams via Exim-users wrote:
> That's helpful! Let me ask a more focused question: Does this mean my
> cert/key combo on this node is bad? That's the path I'm going down right
> now.

It says there's a certs issue between this MTA and your quarantine node.
That's separate from why it got to this router, probably.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: SSL verify error: An error I thought harmless [ In reply to ]

exim-users at exim

Apr 26, 2022, 9:19 AM

Post #5 of 8 (499 views)

I don't think it's entirely separate, because I did some exigreps and there
are exactly two SSL errors for every R=quarantine.

On Tue, Apr 26, 2022 at 10:48 AM Jeremy Harris via Exim-users <
exim-users@exim.org> wrote:

> On 26/04/2022 16:36, Johnnie W Adams via Exim-users wrote:
> > That's helpful! Let me ask a more focused question: Does this mean my
> > cert/key combo on this node is bad? That's the path I'm going down right
> > now.
>
> It says there's a certs issue between this MTA and your quarantine node.
> That's separate from why it got to this router, probably.
> --
> Cheers,
> Jeremy
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>

--
John Adams
Senior Linux/Middleware Administrator | Information Technology Services
+1-501-916-3010 | jxadams@ualr.edu | http://ualr.edu/itservices
*UA Little Rock*

Reminder: IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts. For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: SSL verify error: An error I thought harmless [ In reply to ]

exim-users at exim

Apr 26, 2022, 9:44 AM

Post #6 of 8 (499 views)

I suddenly got the implication of what you're saying: Given that my primary
issue today is why mail is incorrectly classified to be quarantined, the
certificate issue between the MTA and the quarantine node is not the
problem. The classification happens on the MTA--in this case, in the very
first router:

quarantine:

driver = manualroute

condition = ${if eq{$header_x-gm-spam:}{1}}

transport = remote_smtp

route_data = ${lookup {$domain}lsearch*{/etc/exim/mailfilter_routes}}

no_more

So the question is better asked, "Why is that x-gm-spam header being
inserted?" Which points me back upstream, true?

On Tue, Apr 26, 2022 at 10:48 AM Jeremy Harris via Exim-users <
exim-users@exim.org> wrote:

> On 26/04/2022 16:36, Johnnie W Adams via Exim-users wrote:
> > That's helpful! Let me ask a more focused question: Does this mean my
> > cert/key combo on this node is bad? That's the path I'm going down right
> > now.
>
> It says there's a certs issue between this MTA and your quarantine node.
> That's separate from why it got to this router, probably.
> --
> Cheers,
> Jeremy
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>

--
John Adams
Senior Linux/Middleware Administrator | Information Technology Services
+1-501-916-3010 | jxadams@ualr.edu | http://ualr.edu/itservices
*UA Little Rock*

Reminder: IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts. For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: SSL verify error: An error I thought harmless [ In reply to ]

exim-users at exim

Apr 26, 2022, 1:28 PM

Post #7 of 8 (499 views)

On 26/04/2022 17:44, Johnnie W Adams via Exim-users wrote:
> So the question is better asked, "Why is that x-gm-spam header being
> inserted?" Which points me back upstream, true?

Upstream of that router, at least. It still could be within
the same MTA.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: SSL verify error: An error I thought harmless [ In reply to ]

exim-users at exim

Apr 26, 2022, 1:43 PM

Post #8 of 8 (499 views)

Turned out it was upstream from the MTA. Which gave me a whole new problem.
Whee!

On Tue, Apr 26, 2022 at 3:38 PM Jeremy Harris via Exim-users <
exim-users@exim.org> wrote:

> On 26/04/2022 17:44, Johnnie W Adams via Exim-users wrote:
> > So the question is better asked, "Why is that x-gm-spam header being
> > inserted?" Which points me back upstream, true?
>
> Upstream of that router, at least. It still could be within
> the same MTA.
> --
> Cheers,
> Jeremy
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>

--
John Adams
Senior Linux/Middleware Administrator | Information Technology Services
+1-501-916-3010 | jxadams@ualr.edu | http://ualr.edu/itservices
*UA Little Rock*

Reminder: IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts. For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/