On Fri, Jan 23, 2009 at 08:26:12AM +0100, gabrix wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi list !
> I run debian lenny/sid and postfix is my MTA .
> My relayhost uses a selfsigned CA certificate which i have imported as
> /etc/ssl/certs/myisp.crt and linked as
> /usr/share/ca-certificate/myisp.pem and in postfix as
> /etc/postfix/CA/myisp.pem
> In postfix configuration i have:
> smtpd_tls_CApath = /etc/postfix/CA/
Did you run the OpenSSL c_rehash(1) utility?
> and i have my selfsigned CA cert on itself in
> /etc/postfic/ssl/cacert.pem , after this i'm still getting these
> warnings in mail.log:
>
> > Jan 10 00:41:58 mail postfix/smtp[10404]: certificate verification failed
> > for smtp.myisp[111.222.222.999]:587: untrusted issuer
> > /C=NO/O=MyISP/CN=MyISP Certification Authority/emailaddress...@myisp
>
> Should i stick both cerificates on one big file.pem in postfix like
>
> > smtpd_tls_CAfile = /etc/postfix/ssl/file.pem
That would work.
> or there is another way to make postfix successfully verify my isp CA ?
Or use c_rehash(1), but be aware that it is not "atomic" and CA certs
may briefly disappear while c_rehash(1) is running. It is possible to fix
the c_rehash(1) Perl script to be atomic, but nobody has done that yet...
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
