Re: New server using old server config, alert unknown ca error

Sat, 28 Dec 2013 09:43:12 -0800 

On Sat, Dec 28, 2013 at 11:57:23AM -0500, Charles Marcus wrote:

> I use PostfixAdmin, and its vacation.pl script for managing vacation
> messages, and it is the sending of the vacation message that fails
> with the subject error: error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

The the Postfix SMTP server received a fatal "unknown CA" alert
from the SMTP client.  Therefore, if your server's certificate
chain is correctly configured, the problem is with the SMTP client.

> I basically copied everything over from the old/working server,
> tweaking only for the new hostname, and I've triple checked that the
> /etc/ssl CA dir and certs dirs are there with correct perms, etc.

If you old Postfix version was sufficiently ancient, the completeness
of the server's certificate chain might have relied on:

    http://www.postfix.org/postconf.5.html#tls_append_default_CA

you should not set this to "yes" long-term.  Rather test whether
this makes a difference.  If it does, add any missing CA certificates
to smtpd_tls_cert_file.  See  "Creating the server certificate
file" under:

    http://www.postfix.org/TLS_README.html#server_cert_key

> I also did try temporarily changing the localhost alias and
> $myhostname to the same as the old server, with the same
> result/error.

The problem is with the trust chain, not peername verification,
re-arranging the deck chairs on the Titanic does not fix the hull
design.

> >2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: connect
> >     from newhost.example.com[127.0.0.1]
> >2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]:
> >     SSL_accept error from newhost.example.com[127.0.0.1]: 0
> >2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]:
> >     warning: TLS library problem: 10620:error:14094418:SSL
> >     routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1256:SSL
> >     alert number 48:
> >2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: lost
> >     connection after STARTTLS from newhost.example.com[127.0.0.1]
> >2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]:
> >     disconnect from newhost.example.com[127.0.0.1]

What is the client program that connects to the SMTP server?

Postfix configuration is largely irrelevant, you have a problem
with the SMTP *client*, which is not Postfix.  The *client* does
not trust the server's CA and sends a fatal SSL "alert" message.

-- 
        Viktor.
>

Reply via email to