Perhaps counterintuitively, IO::Socket:SSL expects that multi-step SSL cert chains must have the intermediate certs in the SSL_cert_file path and not the SSL_ca_file path. Add documentation on this point, and a way of verifying cert configuration since most MTAs won't be at all helpful in diagnosing SSL verification errors.
-- Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com Carraway \ 4096R/9197B5F9: 9C64 37CD 1B7B 029D 0933 49EA 1E52 7672 9197 B5F9
commit f49a266b76ee8c539a3bbed68c3d65f8cdba6593 Author: Devin Carraway <g...@devin.com> Date: Thu Jun 5 23:53:51 2014 -0700 Expand the tls plugin's documentation regarding certificate chains and testing. diff --git a/plugins/tls b/plugins/tls index b690eb6..6e1a20c 100644 --- a/plugins/tls +++ b/plugins/tls @@ -14,7 +14,13 @@ tls [B<cert_path priv_key_path ca_path>] =item B<cert_path> -Path to the server certificate file. Default: I<ssl/qpsmtpd-server.crt> +Path to the server certificate file. This file should include +both the server's own certificate and those of any intermediate +(non-root) certificate authorities in the cert chain. If a chain +of multiple certificates is given here, the file must be in PEM +format; if only one cert is given, DER format is also acceptable. + +Default: I<ssl/qpsmtpd-server.crt> =item B<priv_key_path> @@ -22,7 +28,7 @@ Path to the private key file. Default: I<ssl/qpsmtpd-server.key> =item B<ca_path> -Path to the certificate authority file. Default: I<ssl/qpsmtpd-ca.crt> +Path to the root certificate authority file. Default: I<ssl/qpsmtpd-ca.crt> =back @@ -57,6 +63,13 @@ ciphers at L<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS>, and put a suitable string in config/tls_ciphers (e.g. "DEFAULT" or "HIGH:MEDIUM") +=head1 TESTING + +To verify correct configuration and certificate structure, after enabling +the plugin one can use this command to test negotiation and authentication: + + openssl s_client -CApath /etc/ssl/certs -starttls smtp -connect mailhost:25 + =cut use IO::Socket::SSL 0.98; # qw(debug1 debug2 debug3 debug4);