PostfixAndIMAP - ArchLUG Kwiki

Adapted from http://www.aet.tu-cottbus.de/pipermail/postfix_tls/2002/000353.html

Ethan wrote: My only issues are with mozilla (1.0 now), and netscape (6.2 now). For some reason, these clients balk when trying to realy over ssl... strange, as they work perfectly with IMAP over ssl. I'm using self-signed certs as well. Hopefully this is just a mozilla problem that will get fixed.

Here's the relevant section of main.cf:

Jun  9 22:23:04 spicymeatball postfix/smtpd[10999]: SSL3 alert write:fatal:bad record mac
Jun  9 22:23:04 spicymeatball postfix/smtpd[10999]: SSL_accept:error in SSLv3 read certificate verify A
Jun  9 22:23:04 spicymeatball postfix/smtpd[10999]: SSL_accept error from unknown[192.168.1.3]: -1
Jun  9 22:23:04 spicymeatball postfix/smtpd[10999]: 10999:error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:450:

At this point Netscape and Postix/TLS (or to be more precise: OpenSSL) disagree about the key or checksum.

I just ran a short test with Netscape 6.2.3:

Mozilla/5.0 (X11; U; Linux i586; en-US; rv:0.9.4.1) Gecko/20020508 Netscape6/6.2.3

As you can see, the Netscape client was run on a Linux host. The server was serv01.aet.tu-cottbus.de, running the latest version of Postfix/TLS (0.8.11a for Postfix 1.1.11) with OpenSSL 0.9.6d on HP-UX 10.20.

The answer:

It ends up that my IMAP server and postfix were using two different self-signed certs that had identical common names. As soon as I began to use the same cert for both servers, the mozilla/netscape problem went away.