TLS Root Certificate Problem
in [Postfix]
|
Prev: GUI for maillog
Next: XCLIENT patch for postfix
From: Dennis Putnam on 6 Jan 2010 10:00 I am using CACert as my signing authority. I have included their root certificate in my main.cf: smtpd_tls_CAfile = /etc/postfix/ssl/root.crt However, I get this error when it tries to set up a TLS connection: postfix/smtp[5298]: certificate verification failed for xserveoda.aimaudit.com[70.158.194.7]:25: untrusted issuer /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support(a)cacert.org What is a little confusing to me, and my be the crux of the problem, is which parameter applies to which server, when. Is this error because something is not right on this server or because something is wrong on the initiating server? Both are using CACert as their signing authority. Thanks. Dennis Putnam Sr. IT Systems Administrator AIM Systems, Inc. 11675 Rainwater Dr., Suite 200 Alpharetta, GA 30009 Phone: 678-240-4112 Main Phone: 678-297-0700 FAX: 678-297-2666 or 770-576-1000 The information contained in this e-mail and any attachments is strictly confidential. If you are not the intended recipient, any use, dissemination, distribution, or duplication of any part of this e-mail or any attachment is prohibited. If you are not the intended recipient, please notify the sender by return e-mail and delete all copies, including the attachments.
From: Victor Duchovni on 6 Jan 2010 10:09 On Wed, Jan 06, 2010 at 10:00:37AM -0500, Dennis Putnam wrote: > I am using CACert as my signing authority. I have included their root certificate in my main.cf: > > smtpd_tls_CAfile = /etc/postfix/ssl/root.crt This is for verifying client certificates when clients connect to your SMTP server. > However, I get this error when it tries to set up a TLS connection: > > postfix/smtp[5298]: certificate verification failed for xserveoda.aimaudit.com[70.158.194.7]:25: untrusted issuer /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support(a)cacert.org > This is your SMTP client sending to remote servers. Consider adding this certificate to: smtp_tls_CAfile = /some/file/with/all/trusted/ca/certs.pem OR smtp_tls_CApath = /some/directory/with/all/trusted/ca/certs/ In the latter case, you need to run the "c_rehash" utility from OpenSSL, to re-index the directory when it is updated. Note that c_rehash is not atomic, and may temporarily disrupt verification while it is running, so if you use the "secure" or "verify" tls levels, you want to stop your MTA before running c_rehash, or run c_rehash in new directory, and atomically update a symlink to cut-over to the new certificate set. I have as yet been too lazy to contribute a more robust c_rehash to the OpenSSL project. Sorry about that... :-( -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
From: Dennis Putnam on 6 Jan 2010 14:39 Hi Viktor, Thanks, that seems to have worked. Now for the next layer of the onion. Do I just keep appending root certificates to that same file or does each certificate have to be set up separately somehow? On Jan 6, 2010, at 10:09 AM, Victor Duchovni wrote: > On Wed, Jan 06, 2010 at 10:00:37AM -0500, Dennis Putnam wrote: > >> I am using CACert as my signing authority. I have included their root certificate in my main.cf: >> >> smtpd_tls_CAfile = /etc/postfix/ssl/root.crt > > This is for verifying client certificates when clients connect > to your SMTP server. > >> However, I get this error when it tries to set up a TLS connection: >> >> postfix/smtp[5298]: certificate verification failed for xserveoda.aimaudit.com[70.158.194.7]:25: untrusted issuer /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support(a)cacert.org >> > > This is your SMTP client sending to remote servers. Consider adding this > certificate to: > > smtp_tls_CAfile = /some/file/with/all/trusted/ca/certs.pem > > OR > > smtp_tls_CApath = /some/directory/with/all/trusted/ca/certs/ > > In the latter case, you need to run the "c_rehash" utility from OpenSSL, > to re-index the directory when it is updated. Note that c_rehash is > not atomic, and may temporarily disrupt verification while it is > running, so if you use the "secure" or "verify" tls levels, you > want to stop your MTA before running c_rehash, or run c_rehash > in new directory, and atomically update a symlink to cut-over to > the new certificate set. > > I have as yet been too lazy to contribute a more robust c_rehash > to the OpenSSL project. Sorry about that... :-( > > -- > Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. > Dennis Putnam Sr. IT Systems Administrator AIM Systems, Inc. 11675 Rainwater Dr., Suite 200 Alpharetta, GA 30009 Phone: 678-240-4112 Main Phone: 678-297-0700 FAX: 678-297-2666 or 770-576-1000 The information contained in this e-mail and any attachments is strictly confidential. If you are not the intended recipient, any use, dissemination, distribution, or duplication of any part of this e-mail or any attachment is prohibited. If you are not the intended recipient, please notify the sender by return e-mail and delete all copies, including the attachments.
|
Pages: 1 Prev: GUI for maillog Next: XCLIENT patch for postfix |