> On Tue, Jun 9, 2015, at 05:08 PM, Viktor Dukhovni wrote: Zeroing in on
> This means that the server's certificate is not issued by a CA trusted by the > client In configs CLIENT/master.cf ... relay-remote unix - - n - - smtp ... -o smtp_tls_cert_file=/etc/ssl/mail/relay-remote.crt -o smtp_tls_key_file=/etc/ssl/mail/relay-remote.key ... ... SERVER/master.cf ... 11587 inet n - n - - smtpd ... -o smtpd_tls_cert_file=/etc/ssl/mail/relay-local.crt -o smtpd_tls_key_file=/etc/ssl/mail/relay-local.key ... ... 'relay-remote.crt' and 'relay-local.crt' are both CHAINED crts that include the issuing CA crt, which is the same for both. I thought that's sufficient. Forcing the CA crt identity CLIENT/master.cf ... relay-remote unix - - n - - smtp ... + -o smtp_tls_CAfile=/etc/ssl/mail/DDDD_CA.crt -o smtp_tls_cert_file=/etc/ssl/mail/relay-remote.crt -o smtp_tls_key_file=/etc/ssl/mail/relay-remote.key + -o tls_append_default_CA=no ... ... does it. Now on send, at remote log Jun 9 17:37:19 remote016 postfix/relay-remote/smtp[23270]: Trusted TLS connection established to internal.local010.DDDD.com[10.128.1.10]:11587: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) the Trust @ client of the server is established. Either my chained certs are not correctly constructed, or my client-side Postfix isn't correctly configured to find / use the chain path. I now have a solution that works above. I'd like to understand how to check / verify the structure and use of the cert CHAINing by Postfix. Can you provide an instructional example?