> On Tue, Jun 9, 2015, at 05:08 PM, Viktor Dukhovni wrote:
Zeroing in on
> This means that the server's certificate is not issued by a CA trusted by the
> client
In configs
CLIENT/master.cf
...
relay-remote unix - - n - - smtp
...
-o smtp_tls_cert_file=/etc/ssl/mail/relay-remote.crt
-o smtp_tls_key_file=/etc/ssl/mail/relay-remote.key
...
...
SERVER/master.cf
...
11587 inet n - n - - smtpd
...
-o smtpd_tls_cert_file=/etc/ssl/mail/relay-local.crt
-o smtpd_tls_key_file=/etc/ssl/mail/relay-local.key
...
...
'relay-remote.crt' and 'relay-local.crt' are both CHAINED crts that include the
issuing CA crt, which is the same for both. I thought that's sufficient.
Forcing the CA crt identity
CLIENT/master.cf
...
relay-remote unix - - n - - smtp
...
+ -o smtp_tls_CAfile=/etc/ssl/mail/DDDD_CA.crt
-o smtp_tls_cert_file=/etc/ssl/mail/relay-remote.crt
-o smtp_tls_key_file=/etc/ssl/mail/relay-remote.key
+ -o tls_append_default_CA=no
...
...
does it. Now on send, at remote log
Jun 9 17:37:19 remote016 postfix/relay-remote/smtp[23270]: Trusted TLS
connection established to internal.local010.DDDD.com[10.128.1.10]:11587:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
the Trust @ client of the server is established.
Either my chained certs are not correctly constructed, or my client-side
Postfix isn't correctly configured to find / use the chain path.
I now have a solution that works above.
I'd like to understand how to check / verify the structure and use of the cert
CHAINing by Postfix.
Can you provide an instructional example?
