> On Jan 21, 2019, at 2:40 AM, phoenixsagar <phoenixsag...@gmail.com> wrote:
>
> Logs are like :
> postfix/backend/smtp[95117]: CA certificate verification failed for
> abc-abc.mail.abc.outlook.com[111.111.111.111]:25: certificate has expired
The key context here is "CA certificate verification". The expired certificate
is an issuer CA certificate, not the leaf server certificate. This could be
either sent by the remote server, or found in the local trust store. Not
infrequently, the problem is a stale certificate in the local trust store,
which does need to be kept up to date. Make sure you don't have stale
intermediate CA certs in your trust store. Also post the certificates
sent on the wire, which you can capture with:
$ posttls-finger -cC -Lsummary example.com
FWIW, the relevant source code is below. Perhaps the "depth" should
also have been logged to give a more complete context.
tls_verify.c:
/* tls_log_verify_error - Report final verification error status */
void tls_log_verify_error(TLS_SESS_STATE *TLScontext)
{
...
int depth = TLScontext->errordepth;
#define PURPOSE ((depth>0) ? "CA": TLScontext->am_server ? "client": "server")
...
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
msg_info("%s certificate verification failed for %s: certificate has"
" expired", PURPOSE, TLScontext->namaddr);
break;
...
}
--
Viktor.
