Sam Varshavchik wrote: > Err. With SECURITY=STARTTLS, you need to set TLS_TRUSTSECURITYCERTS. > You missed the big fat comment there :-)
Oops. Indeed, thanks. However, fixing that gave new errors. Sender: 500 couriertls: connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed/Unexpected SSL connec... Receiver: STARTTLS failed: couriertls: accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca TLS_CERTFILE in courierd points to esmtpd.pem on both sides. All certs on both the sender and the receiver are signed by the same private CA. The signing is good; a mail client that has the root CA cert installed accepts the server certs without questions. The CA certificate is in rootcerts on both machines, bin:bin 444 and symlinked with ln -s myca.pem `openssl x509 -hash -noout -in myca.pem`.0 TLS_TRUSTSECURITYCERTS points to that directory. ESMTP_TLS_VERIFY_DOMAIN and TLS_VERIFYPEER are set to 1, PEER on the sender, tried 1, PEER as well as 0, NONE on the receiver. TLS_DHCERTFILE is commented out on both sides. The settings in esmtpd and esmtpd-ssl match these. Yet, [sender] # couriertls -host=graenden.org -port=2225 -printx509 -protocol=smtp 220 kverulanten.graenden.org ESMTP STARTTLS 220 Ok couriertls: connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Unexpected SSL connection shutdown. The same happens in the opposite direction, but without the last line. A lookup on the IP of the sender returns the cn that is presented by the sender's certificates. A lookup on the IP of the receiver returns something completely different than the cn on the cert. The output of strace on the couriertls command above is at http://www.provocation.net/tmp/drivesmecrazy.txt . The odd thing is that it doesn't even try to read the ca cert after it has fetched the server cert; it just complains and dies. Are the ca certs pre-read on startup? Is there a way to increase loglevel to insane? Any tips and hints will be greatly appreciated; I can already see the big men in white jackets knocking on my door. Z ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
