On Mon, Feb 10, 2014 at 11:05:50AM -0500, Norton Allen wrote:
> I've noticed the following in my logs:
>
> Feb 9 04:10:01 endymion postfix/smtp[21298]: certificate
> verification failed for gmail-smtp-in.l.google.com: num=20:unable to
> get local issuer certificate
> Feb 9 04:10:01 endymion postfix/smtp[21298]: certificate
> verification failed for gmail-smtp-in.l.google.com:
> num=27:certificate not trusted
Harmless, newer versions of Postfix don't log these warnings when
TLS is opportunistic. You can upgrade if you find these warnings
disquieting.
> 1) Is this a misconfiguration on gmail's part? Should they be
> including the intermediate cert along with the host cert during SSL
> negotiation? (just to help me understand my own configuration)
Postfix ignores the system certificate bundle by default. Only
certificates listed in "smtp_tls_CAfile" or (if c_rehash is run
with the directory as argument) "smtp_tls_CApath".
> 2) Is my best option to include the intermediate cert in my
> ca-bundle.crt? And/or can I list more than one bundle so I don't
> have to hack the bundle that yum is maintaining?
No.
> 3) Or should I just disable TLS for SMTP?
You should just ignore these warnings. With
smtp_tls_security_level = may
unauthenticated connections are just as good as authenticated
connections, and authentication warnings are a distraction.
--
Viktor.
