[prev in list] [next in list] [prev in thread] [next in thread]
List: postfix-users
Subject: openssl s_client vs smtpd_tls_CApath = /etc/ssl/certs
From: Bob Tanner <tanner () real-time ! com>
Date: 2005-10-05 4:51:48
Message-ID: dhvm55$god$1 () sea ! gmane ! org
[Download RAW message or body]
Having problems getting postfix working with a self-signed cert, I searched
the mailing list and none of the other posts seem to answer my question.
I'll start by asking why I get different results between openssl s_client
connect and postfix when I have smtpd_tls_CApath = /etc/ssl/certs setup?
$ openssl s_client -connect mailhandler.az.fh.org:25 -starttls smtp
-CApath /etc/ssl/certs/
CONNECTED(00000003)
<snip>
verify return:1
<snip>
Verify return code: 0 (ok) <-- We are ok!
---
220 mailhandler.az.fh.org ESMTP server ready at
Logs from postfix show a problem with the self-signed cert
postfix/smtp[26070]: setting up TLS connection to mailhandler.az.fh.org
postfix/smtp[26070]: verify error:num=18:self signed certificate
postfix/smtp[26070]: SSL_connect error to mailhandler.az.fh.org: -1
postfix/smtp[26070]: 26070:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:844:
postfix/smtp[26070]: 1B130EBA26: Could not start TLS: client failure
The relevant main.cf
smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/certs/server.key
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_CAfile = /etc/ssl/certs/server.ca
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_tls_note_starttls_offer = yes
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
Now, if I remove the -CAPath from the openssl s_client, I get the same
issue/error
$ openssl s_client -connect mailhandler.az.fh.org:25 -starttls smtp
CONNECTED(00000003)
<snip>
verify error:num=18:self signed certificate
verify return:1
<snip>
Verify return code: 18 (self signed certificate)
Reading the documentation, I understand that smtpd_tls_CApath "Directory
with PEM format certificate authority certificates that the Postfix SMTP
server offers to remote SMTP clients for the purpose of client certificate
verification." and using debian's update-ca-certificate it does to the hash
of the certs.
Any help on where to look to next?
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic