On Sat, Dec 28, 2013 at 11:57:23AM -0500, Charles Marcus wrote: > I use PostfixAdmin, and its vacation.pl script for managing vacation > messages, and it is the sending of the vacation message that fails > with the subject error: error:14094418:SSL > routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
The the Postfix SMTP server received a fatal "unknown CA" alert from the SMTP client. Therefore, if your server's certificate chain is correctly configured, the problem is with the SMTP client. > I basically copied everything over from the old/working server, > tweaking only for the new hostname, and I've triple checked that the > /etc/ssl CA dir and certs dirs are there with correct perms, etc. If you old Postfix version was sufficiently ancient, the completeness of the server's certificate chain might have relied on: http://www.postfix.org/postconf.5.html#tls_append_default_CA you should not set this to "yes" long-term. Rather test whether this makes a difference. If it does, add any missing CA certificates to smtpd_tls_cert_file. See "Creating the server certificate file" under: http://www.postfix.org/TLS_README.html#server_cert_key > I also did try temporarily changing the localhost alias and > $myhostname to the same as the old server, with the same > result/error. The problem is with the trust chain, not peername verification, re-arranging the deck chairs on the Titanic does not fix the hull design. > >2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: connect > > from newhost.example.com[127.0.0.1] > >2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: > > SSL_accept error from newhost.example.com[127.0.0.1]: 0 > >2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: > > warning: TLS library problem: 10620:error:14094418:SSL > > routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1256:SSL > > alert number 48: > >2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: lost > > connection after STARTTLS from newhost.example.com[127.0.0.1] > >2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: > > disconnect from newhost.example.com[127.0.0.1] What is the client program that connects to the SMTP server? Postfix configuration is largely irrelevant, you have a problem with the SMTP *client*, which is not Postfix. The *client* does not trust the server's CA and sends a fatal SSL "alert" message. -- Viktor. >