Re: gmail relay and certificates on Fedora 10

Wed, 04 Feb 2009 19:09:18 -0800 

What values does postconf show for the following parameters?

smtp_tls_CAfile
smtpd_tls_CAfile

?

Joe

sean darcy wrote:

sean darcy wrote:

J Sloan wrote:

Sounds like fedora's missing a ca-bundle.crt...

Joe

sean darcy wrote:

I followed the instructions on
http://www.wormly.com/blog/2008/11/05/relay-gmail-google-smtp-postfix/
to create your own certificate to use with google.

main.cf:
..........
## this to use certificate I created:
##  www.wormly.com/blog/2008/11/05/relay-gmail-google-smtp-postfix/
relayhost = [smtp.gmail.com]:587
smtp_connection_cache_destinations = smtp.gmail.com
relay_destination_concurrency_limit = 1
default_destination_concurrency_limit = 5
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom
smtp_tls_scert_verifydepth = 5
smtp_tls_key_file=/etc/postfix/postfixclient.key
smtp_tls_cert_file=/etc/postfix/postfixclient.pem
smtp_tls_enforce_peername = no
smtpd_tls_req_ccert =no
smtpd_tls_ask_ccert = yes
soft_bounce = yes

I get this  error:

Feb  4 17:01:52 asterisk postfix/smtp[17447]: certificate verification
failed fo
r smtp.gmail.com[74.125.47.111]:587: untrusted issuer /C=ZA/ST=Western
Cape/L=Ca
pe Town/O=Thawte Consulting cc/OU=Certification Services
Division/CN=Thawte Prem
ium Server CA/emailaddress=premium-ser...@thawte.com

The error message is weird since it refers to thawte.com.

/etc/postfix/postfixclient.pem:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=us, ST=new york, O=n/a, OU=section,
CN=seandarcy/emailaddress=seanda...@gmail.com
        Validity
            Not Before: Feb  4 21:40:25 2009 GMT
            Not After : Feb  4 21:40:25 2010 GMT
        Subject: C=us, ST=new york, O=n/a, OU=section,
CN=seandarcy/emailaddress=seanda...@gmail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
...........

So I should be the issuer. Or is referring to the issuer of its
certificate?

In any event, anyone else have this working?

sean






I can get the thawte cert, but what do I do with it?

sean
In fact the thawte certificate is already in Fedora 10 /etc/pki/tls/cert.pem: 

.........
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server 
CA/emailaddress=premium-ser...@thawte.com
        Validity
            Not Before: Aug  1 00:00:00 1996 GMT
            Not After : Dec 31 23:59:59 2020 GMT
Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server 
 CA/emailaddress=premium-ser...@thawte.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
........

Any suggestions appreciated.

sean

Reply via email to