Thanks for all the replies. Is it even worth checking the cert chain at all?
Right now, I've taken your advice and am ignoring the following errors: Untrusted CA Untrusted Root Untrusted Test Root CN Name Mismatch Cert Expired This leave only revocation, invalid cert use, and miscellaneous unlikely errors to encounter after a successful handshake (not much). Probably revocation is important, but log-diving shows a lot of self-signed and expired certs used by legit MTA recipients. I can't figure out how to tell the difference between a "real" untrusted root and a cert issued by some admin's personal CA. Jeffry _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
