after the update i got this error mesage with my alpha (Globalsgin ) Wildcard SSL Certificate.
This message is caused by the tls_verify_certificate feature in Exim. If Exim fails to verify the certificate provided by the remote mail server, it’ll log this message. However, this does…
Well some checks:
openssl s_client -showcerts -connect my.server.here:465 -servername my.server.here
CONNECTED(00000003) depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA verify return:1 depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2 verify return:1 depth=0 CN = *.mydomain.hereverify return:1 --- Certificate chain 0 s:CN = *.mydomain.here i:C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
Server certificate subject=CN = *.mydomain.here issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2669 bytes and written 390 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384
So the Certificate is installed correctly on the sever. (All other ports are the same 443, 993 and so on)
So why is exim on the firewall telling me he cant verify the cert ?
And do i still have a secure connection ?
I see the exact same Error on my Firewalls with 9.706-9, it happens to only exim-out, no error on exim-in as far as I can see.
It hapens to Internal Certificates (Firewall sending to Exchang) und External Certificates (Firewall sending to external MX).
The E-Mails are still getting delivered, no error on that, just in the Logfiles...
Do you have a business License? If yes you could open a Ticket at Sophos Support.
correct. I got an internal postfix / dovecot server....
I checked exmin doku and exmin is working as it shoiud be. that's what the doku tell's me.
anyways if you put ( in my case, the fullchain.pem from let's encrypt) into the *,crt of a dovecot or postfix on the internal mailserver, you should see, that this error message is gone.
Same problem here, but some PDF Files in EMails did not working after the Update.
Do you have 9.706-8 or 9.706-9 installed?
With 9.706-8 there is a Bug with Attachments.
we have 9.706-8. Thx for the hint.
same here, we are using newest firmware --> 9.706-9 (update from 9.705-3) and we have in smtp logs follwing errors now:
Errors with external smtp mailservers:
1: SSL verify error: depth=1 error=unable to get local issuer certificate cert=/C=US/O=Google Trust Services/CN=GTS CA 1O1
You should open a case with Sophos Support.
Cheers - Bob
I have a case open for this Issue now #03997644.
This message is caused by the tls_verify_certificate feature in Exim. If Exim fails to verify the certificate provided by the remote mail server, it’ll log this message. However, this does not affect email traffic, and TLS works as expected. This is only a warning message and does not affect any functionality.
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.