On 8/2/2017 2:19 AM, Viktor Dukhovni wrote: > On Wed, Aug 02, 2017 at 12:10:31PM +0530, hyndavirap...@bel.co.in wrote: > >> " Aug 2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD: >> to=<cdr.1cor...@1corphq.tcs.mil.in>, orig_to=<cdr.1cor...@tcs.mil.in>, >> relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0, >> dsn=4.7.5, status=deferred (Server certificate not verified) " > > That's nice, but where's the SMTP client's TLS logging? > >> queue_run_delay = 30s > > Unrelated, but surely too short. > >> smtp_enforce_tls = yes > > Obsolete, instead set "smtp_tls_security_level = encrypt". > >> smtp_tls_CAfile = /etc/new_pki/tls/certs/ca-bundle.crt > > This has to be sufficient to verify the remote server's certificate. > >> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy >> smtpd_tls_loglevel = 2 > > Change that to 1, and also set: > > smtp_tls_security_level = 1
Oops, that should be smtp_tls_loglevel = 1 > >> tls_policy file is as follows >> >> [201.123.1.4]:25 secure match=1CorpHQ >> >> "1CorpHQ" is exactly same as the CN field of the certificate > > Are there any DNS subject alternative names in the certificate? > Is it issued by a trusted CA? ... > >> How to solve the above error...I'm stuck at this point for a long time... >> Any help will be appreciated greatly... > > Post TLS logging, after setting the loglevel = 1. >