[Prev] Thread [Next]  |  [Prev] Date [Next]

Issues with tls_append_default_CA and *_tls_CApath Artemy Tregubenko Sun Feb 19 06:00:57 2012


I have an Ubuntu server with Postfix 2.8.2 on it. Looks like tls_append_default_CA has no effect on it.

When I send emails to Gmail I get message about failed certificate verification. There're many articles on solving this issue. The ones that I saw suggest suboptimal approach of adding Equifax CA certificate to your own CA certificate file [1]. I want to solve the issue in a better way.

First of all, Ubuntu ships Equifax_Secure_CA.pem and it's present in /etc/ssl/certs/. When I set 'smtp_tls_CAfile = /etc/ssl/certs/Equifax_Secure_CA.pem' [2] I get no verification errors, so I suppose the certificate is fine. But that will only fix errors for Gmail and other users of Equifax-signed certificates.

I want to use a more generic approach, so I unset smtp_tls_CAfile and set 'smtp_tls_CApath = /etc/ssl/certs' [3] and 'smtpd_tls_CApath = /etc/ssl/certs' [4]. In that configuration I see verification errors.

Documentation on [3] and [4] mentions tls_append_default_CA setting which defaults to 'no'[5]. I set 'tls_append_default_CA = yes'. In that configuration I see verification errors.

I unset smtp_tls_CApath and smtpd_tls_CApath. The only option about CA certificates is tls_append_default_CA now. In that configuration I see verification errors.

I set 'smtp_tls_CAfile = /etc/ssl/certs/cacert.pem' in addition to 'tls_append_default_CA = yes'. In that configuration I see verification errors.

Documentation for tls_append_default_CA says: "Append the system-supplied default certificate authority certificates to the ones specified with *_tls_CApath or *_tls_CAfile." I suppose that certificates in /etc/ssl/certs are system-supplied default certificate authority certificates. Apparently those are not added to *_tls_CApath or *_tls_CAfile.

What might be the cause of that issue? Is this a bug in Postfix?

[1] http://stevejenkins.com/blog/2011/06/fixing-postfix-certificate-verification-failed-for-gmail-untrusted-issuer-error-message/
[2] http://www.postfix.org/postconf.5.html#smtp_tls_CAfile
[3] http://www.postfix.org/postconf.5.html#smtp_tls_CApath
[4] http://www.postfix.org/postconf.5.html#smtpd_tls_CApath
[5] http://www.postfix.org/postconf.5.html#tls_append_default_CA

Regards, Artemy