This year, my site has begun having problems with our Verisign SSL certificates. It began with the cert we acquired from Verisign in March, which was signed by a new, never-before-seen CA certificate. (Verisign has published the "intermediate CA certificate" on their web site; this is note at issue.) Our IMAP clients rejected our server cert because they didn't acknowledge authority of the the new signing cert -- our site certificate had no connection to their certificate cache.
With IMAP (WU imapd), we solved this by including the intermediate CA cert with the server cert in the PEM file that IMAP loads our server cert from. The clients now receive two certs with each connection: the server cert, and its signer, which is in turn signed by a cert in their certificate cache, and thus trustworthy. (We have a large user population, and we don't control all client workstations, so we can't just update all client CA caches.) This tactic doesn't seem to work with Qpopper, even though we're using OpenSSL with both wu-imapd and qpopper. With the Verisign intermediate CA cert first in the tls-server-cert-file, the tls-private-key-file cannot decrypt our certificate -- understandably. And with the Verisign cert after our server cert, it seems to go undetected, and not delivered to the client. Does anyone have any suggestions on how to achieve the same effect with qpopper? Will I need to patch? -- -D. [EMAIL PROTECTED] NSIT University of Chicago When using any driving directions or map, it's a good idea to do a reality check and make sure the road still exists, watch out for construction, and follow all traffic safety precautions.