-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, guys!
I spent a whole night to configure my postfix to relay on Gmail's smtp server. However, I found that the TLS verification has some weird problems. First, I found that the postfix can't verify the server: >certificate verification failed for smtp.gmail.com[74.125.47.111]:587: >untrusted issuer /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting >cc/OU=Certification Services Division/CN=Thawte Premium Server >CA/[EMAIL PROTECTED] (From my mail.log) Then, I was trying to add the certificate manually for openssl to recongnize: > openssl s_client -connect smtp.gmail.com:587 -starttls smtp -showcerts And grap the content between "--Begin Certificate --" and "--End Certificate --". Save it to google.pem. Then copy this pem file to /etc/ssl/certs and do a c_rehash the directory. When I verified the certificate via openssl: > openssl verify google.pem It shows "OK", seems everything is OK. I restarted my postfix server again. Strangely, it still showed that the server's issuer can't be recognized. Openssl gmail gave: > Verify return code: 21 (unable to verify the first certificate) However, if I add -CAfile /etc/ssl/certs/google.pem. It's OK. In my postfix, I also set the "smtp_tls_CAfile = /etc/ssl/certs/google.pem". So it should find the file by itself. But I still got the untrusted issuer message. However, if I changed the CAfile to Thawte_Premium_Server_CA.pem, postfix reported it's OK now. I just want to ask why I can't get verification when I used the google.pem which I got from openssl connection? Thanks! - -- DigitalPig E-mail: digitalpiglee AT gmail DOT com ALL WE SEEN IS ILLUSION. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/> iD8DBQFH+4n5nGLZWqngJSERAqggAJ4nY4PB+VWVBHuHu3o8CUuFLc2fSwCfckqt uv+35XRYtA4kk5TuBB4VjPA= =gSVZ -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
