On Thu, Feb 20, 2014 at 11:26:20AM +0100, Walter H. wrote:
> the older CentOS 4.x has in it's ca-bundle.crt a root certificate that
> expired at the end of last month (on Jan. 28th, 2014), also attached
> (rootexpired.txt), no other valid root certificate of this CA (GlobalSign)
> can be found in this ca-bundle.crt;
>
> can someone tell me in clear logic, how it can be, that a totally
> different root certificate was used to verify the server certificate?
When a root CA is re-issued with the same public key, subject name,
subject key identifier, ... updating only the expiration dates,
and serial number the old root looks like the right issuer of any
certificates issued by the new root to any verifiers (such as your
old CentOS box) that have only that certificate in their trust
store.
The good news for Postfix is that Postfix >= 2.9 ignores all trusted
certificates when doing opportunistic TLS, and never logs certificate
verification failure reasons for opportunistic TLS. Thus users
don't waste time tweaking CA bundles when delivery proceeds whether
the destination is authenticated or not.
Now if you configure a tls policy of "secure" for mail via the
smarthost, you'll need to point Postfix explicitly at a suitable
smtp_tls_CAfile or smtp_tls_CApath that contain an unexpirted root
issuer. (Some day you may be able to employ DANE when the smarthost
DNS zone supports DNSSEC and publishes DANE TLSA records for SMTP).
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
