On 2026-05-06 at 09:10:20 UTC-0400 (Wed, 6 May 2026 09:10:20 -0400)
Tom via Postfix-users <[email protected]>
is rumored to have said:
[...]
With "debuglevel = 1" in the config, I get this:
----------------------------------------------------------------------------
postmap: dict_ldap_debug: TLS trace: SSL_connect:before SSL
initialization
postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS write
client hello
postmap: dict_ldap_debug: TLS trace: SSL_connect:error in SSLv3/TLS
write client hello
postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS write
client hello
postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS read server
hello
postmap: dict_ldap_debug: TLS trace: SSL_connect:TLSv1.3 read
encrypted extensions
postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS read server
certificate request
postmap: dict_ldap_debug: TLS certificate verification: depth: 1, err:
2, subject: /C=US/O=Let's Encrypt/CN=E7,
postmap: dict_ldap_debug: issuer: /C=US/O=Internet Security Research
Group/CN=ISRG Root X1
postmap: dict_ldap_debug: TLS certificate verification: Error, unable
to get issuer certificate
This means that either the LDAP server didn't send a needed intermediate
certificate OR postfix does not know where to find the trusted
certificate store. The fact that it works from the command line suggests
that an interactive session is either not verifying the cert or it knows
where to find trusted CAs.
The question I can't answer is which *_tls_CApath or *_tls_CAfile
parameter Postfix uses when doing LDAP. Or maybe you need
tls_append_default_CA set to "yes" so that whatever Postfix is using
gets augmented by whatever your ldapsearch is using as a trust anchor.
postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS read server
certificate
postmap: dict_ldap_debug: TLS trace: SSL_connect:TLSv1.3 read server
certificate verify
postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS read
finished
postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS write
change cipher spec
postmap: dict_ldap_debug: TLS trace: SSL_connect:TLSv1.3 write client
compressed certificate
postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS write
certificate verify
postmap: dict_ldap_debug: TLS trace: SSL_connect:SSLv3/TLS write
finished
postmap: dict_ldap_debug: TLS trace: SSL3 alert read:fatal:unknown CA
----------------------------------------------------------------------------
Still no problems running ldapsearch or openssl s_client from the
postfix host - they work perfectly.
What certificates does s_client show as having been sent by the server?
--
Bill Cole
[email protected] or [email protected]
(AKA @[email protected] and many *@billmail.scconsult.com
addresses)
Please keep discussion mailing list replies *on-list*
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
