Re: delivery temporarily suspended: Server certificate not verified

Thu, 16 Apr 2009 14:17:32 -0700 

On Thu, Apr 16, 2009 at 08:23:18PM +0200, gabriele wrote:

> I have only one peer as nexthop in my transport table , this is my
> configuration for postfix smtp :

These settings look a bit like an experimental particle physicist trying
to learn about the inner working of client TLS in Postfix by smashing
all the parameters together in a high energy collision.

What exactly are you trying to do?

    - Encrypted connection to a server with no peername authentication?

    - Secure connection to a server authenticated by the certificate
      fingerprint?

    - Secure connection using trusted 3rd-party CAs and matching of
      names in trusted certificates?

> > # SMTP  TLS
> > smtp_use_tls=yes
> > smtp_tls_loglevel = 1
> > smtp_tls_enforce_peername = no
> > smtp_tls_CAfile = /etc/postfix/ssl/CA.pem
> > smtp_tls_cert_file=/etc/postfix/ssl/cert.pem
> > smtp_tls_key_file=/etc/postfix/ssl/key.pem
> > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> > smtp_tls_enforce_peername = no
> > smtp_tls_mandatory_ciphers = high
> > smtp_tls_mandatory_protocols = SSLv3, TLSv1
> > smtp_tls_secure_cert_match = nexthop
> > smtp_tls_security_level = fingerprint
> > smtp_tls_fingerprint_digest = sha1
> > smtp_tls_fingerprint_cert_match = 
> > D4:A8:07:24:0C:26:B6:D7:9D:AA:CC:CA:77:BA:3A:27:AE:0C:B5:35
> > smtp_tls_scert_verifydepth = 1
> > smtp_tls_note_starttls_offer = yes
> 
> ... and i can't still have a verified TLS connection with my relayhost  .
> My CA.pem , smtp_tls_CAfile = /etc/postfix/ssl/CA.pem , has my both
> selfsigned main CA certificate and my nexthop CA in it . Should i
> include the all ca certificates directory in postfix main.cf ? How can i
> have a verified tls connection with my relayhost ?

Pick just one strategy, and make sure the relay's certificate meets the
conditions you specify. If you still have problems, post detailed logs
with smtp_tls_loglevel=2 and unedited "postconf -n | grep smtp_tls_"
output.

-- 
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Reply via email to