[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: Issues with tls_append_default_CA and *_tls_CApath Wietse Venema Sun Feb 19 07:01:02 2012

Artemy Tregubenko:
[ Charset UTF-8 unsupported, converting... ]
> Hello,
> I have an Ubuntu server with Postfix 2.8.2 on it. Looks like  
> tls_append_default_CA has no effect on it.
> When I send emails to Gmail I get message about failed certificate  
> verification. There're many articles on solving this issue. The ones that  
> I saw suggest suboptimal approach of adding Equifax CA certificate to your  
> own CA certificate file [1]. I want to solve the issue in a better way.
> First of all, Ubuntu ships Equifax_Secure_CA.pem and it's present in  
> /etc/ssl/certs/. When I set 'smtp_tls_CAfile =  
> /etc/ssl/certs/Equifax_Secure_CA.pem' [2] I get no verification errors, so  
> I suppose the certificate is fine. But that will only fix errors for Gmail  
> and other users of Equifax-signed certificates.
> I want to use a more generic approach, so I unset smtp_tls_CAfile and set  
> 'smtp_tls_CApath = /etc/ssl/certs' [3] and 'smtpd_tls_CApath =  
> /etc/ssl/certs' [4]. In that configuration I see verification errors.
> Documentation on [3] and [4] mentions tls_append_default_CA setting which  
> defaults to 'no'[5]. I set 'tls_append_default_CA = yes'. In that  
> configuration I see verification errors.

Therefore, the Equifax certificate wasn't found with 'smtp_tls_CApath
= /etc/ssl/certs'. For CApath to work, you need to run a program
that sets up the necessary symlinks (named after a certificate hash)
that allow the OpenSSL library to find the corresponding certificate

To investigate, you can strace the SMTP daemon (see DEBUG_README.html)
and see what system calls fail. That will also show whether you
correctly followed instructions to turn of the chroot feature.