Actually, if type
openssl s_client -CAPATH BKQSDQSD -connect 127.0.0.1:465 (Ie. whatever in the CApath field), the connection works fine but if not, I get an error. Putting "log level" at 3 in postfix, I get : 2013-04-12T21:49:03.000025+02:00 server postfix/smtpd[12238]: initializing the server-side TLS engine 2013-04-12T21:49:03.068492+02:00 server postfix/smtpd[12238]: connect from unknown[41.137.65.121] 2013-04-12T21:49:03.068514+02:00 server postfix/smtpd[12238]: setting up TLS connection from unknown[41.137.65.121] 2013-04-12T21:49:03.068639+02:00 server postfix/smtpd[12238]: unknown[41.137.65.121]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH" 2013-04-12T21:49:03.068872+02:00 server postfix/smtpd[12238]: SSL_accept:before/accept initialization 2013-04-12T21:49:03.068964+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 read client hello A 2013-04-12T21:49:03.068973+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 write server hello A 2013-04-12T21:49:03.069102+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 write certificate A 2013-04-12T21:49:03.071683+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 write key exchange A 2013-04-12T21:49:03.071693+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 write server done A 2013-04-12T21:49:03.071697+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 flush data 2013-04-12T21:49:03.160413+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 read client key exchange A 2013-04-12T21:49:03.160429+02:00 server postfix/smtpd[12238]: SSL_accept:error in SSLv3 read certificate verify A 2013-04-12T21:49:03.160431+02:00 server postfix/smtpd[12238]: SSL_accept error from unknown[41.137.65.121]: -1 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: TLS library problem: 12238:error:1409D08A:SSL routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423: 2013-04-12T21:49:03.165268+02:00 server postfix/smtpd[12238]: lost connection after CONNECT from unknown[41.137.65.121] 2013-04-12T21:49:03.165281+02:00 server postfix/smtpd[12238]: disconnect from unknown[41.137.65.121] Le 12/04/2013 19:41, Joan Moreau a écrit : > Hi, > > I need to type > > server:~ # openssl s_client -CAPATH /ETC/SSL -connect 127.0.0.1:465 > > to get a "OK" at the end. > > Is the the cause of the problem ? if yes, how to fix it in 'main.cf" ? > > CONNECTED(00000003) > depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA > verify return:1 > depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = > grosjo.net > verify return:1 > write:errno=104 > --- > Certificate chain > 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net > i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA > 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA > i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST > Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware > 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST > Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware > i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST > Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIE1zCCA7+gAwIBAgIRAKEFB6KnYccTgVUT3bw3RGYwDQYJKoZIhvcNAQEFBQAw > ... > aNrCILvl6KKvIe04MKimkkB9HwN4hY9vb4hGYX2qqn5ihFgZEg6gyc3rzA== > -----END CERTIFICATE----- > subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net > issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA > --- > No client certificate CA names sent > Peer signing digest: SHA512 > Server Temp Key: ECDH, P-256, 256 bits > --- > SSL handshake has read 4017 bytes and written 135 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: zlib compression > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > Session-ID: > Session-ID-ctx: > Master-Key: > CE923A87CC6CC9B18C1B9C8F8B0A0BA05A96194501CC54EDD95A29F61D1C82D85E253F756E9D1568CF850C02D5DDBF9C > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Compression: 1 (zlib compression) > Start Time: 1365795552 > Timeout : 300 (sec) > VERIFY RETURN CODE: 0 (OK) > ---
