On Wed, Jan 06, 2010 at 10:00:37AM -0500, Dennis Putnam wrote: > I am using CACert as my signing authority. I have included their root > certificate in my main.cf: > > smtpd_tls_CAfile = /etc/postfix/ssl/root.crt
This is for verifying client certificates when clients connect to your SMTP server. > However, I get this error when it tries to set up a TLS connection: > > postfix/smtp[5298]: certificate verification failed for > xserveoda.aimaudit.com[70.158.194.7]:25: untrusted issuer /O=Root > CA/OU=http://www.cacert.org/CN=CA Cert Signing > Authority/emailaddress=supp...@cacert.org > This is your SMTP client sending to remote servers. Consider adding this certificate to: smtp_tls_CAfile = /some/file/with/all/trusted/ca/certs.pem OR smtp_tls_CApath = /some/directory/with/all/trusted/ca/certs/ In the latter case, you need to run the "c_rehash" utility from OpenSSL, to re-index the directory when it is updated. Note that c_rehash is not atomic, and may temporarily disrupt verification while it is running, so if you use the "secure" or "verify" tls levels, you want to stop your MTA before running c_rehash, or run c_rehash in new directory, and atomically update a symlink to cut-over to the new certificate set. I have as yet been too lazy to contribute a more robust c_rehash to the OpenSSL project. Sorry about that... :-( -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.