On 2026-05-05 12:34, Tom via Postfix-users wrote: > When trying a secure LDAP (works fine without TLS/SSL) connection, it fails > with > "Unable to bind to server" on the postmap end, and "TLS negotiation failure" > on the OpenLDAP end. > > Using ldapsearch from the postfix host succeeds with both SSL and TLS. So > does "openssl s_client". > > All the certificates are up to date and correspond to the host and URLs. > > So it's not a problem with TLS or SSL on the OpenLDAP or postfix host, just > the combination of postfix to OpenLDAP.
<snip> > I have full logging set up but cannot see what the issue is. Any ideas? Turns out there is a "debuglevel" setting I saw at the bottom of the output. With "debuglevel = 1" in the config, I get this: ---------------------------------------------------------------------------- postmap: dict_ldap_debug: TLS trace: SSL_connect:before SSL initialization postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS write client hello postmap: dict_ldap_debug: TLS trace: SSL_connect:error in SSLv3/TLS write client hello postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS write client hello postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS read server hello postmap: dict_ldap_debug: TLS trace: SSL_connect:TLSv1.3 read encrypted extensions postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS read server certificate request postmap: dict_ldap_debug: TLS certificate verification: depth: 1, err: 2, subject: /C=US/O=Let's Encrypt/CN=E7, postmap: dict_ldap_debug: issuer: /C=US/O=Internet Security Research Group/CN=ISRG Root X1 postmap: dict_ldap_debug: TLS certificate verification: Error, unable to get issuer certificate postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS read server certificate postmap: dict_ldap_debug: TLS trace: SSL_connect:TLSv1.3 read server certificate verify postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS read finished postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS write change cipher spec postmap: dict_ldap_debug: TLS trace: SSL_connect:TLSv1.3 write client compressed certificate postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS write certificate verify postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS write finished postmap: dict_ldap_debug: TLS trace: SSL3 alert read:fatal:unknown CA ---------------------------------------------------------------------------- Still no problems running ldapsearch or openssl s_client from the postfix host - they work perfectly. _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
