On Wed, Jul 15, 2009 at 01:49:24PM -0400, Linux Addict wrote:
> smtp_tls_note_starttls_offer = yes
> smtp_use_tls = yes
> smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem
Make that:
smtp_tls_CAfile = ...
you don't need an smtpd_tls_CAfile, unless your cert file is missing
the intermediate CA issuing certificates that are found in this file.
The right solution is to include your trust chain in the cert.pem file
(in the right order, subject cert before issuer cert, leaf to root).
> smtpd_tls_session_cache_timeout = 3600s
No need if you don't also specify a "btree" cache database.
> smtpd_use_tls = yes
Make that:
smtpd_tls_security_level = may
> I read on one of the doc,
> http://palmcoder.net/files/howtos/Postfix%20SSL/Postfix_SSL-HOWTO-2.html#ss2.1,
> for a successfull TLS setup, the last line should be
> "220 Ready to start TLS".
No, this is not the case. To test:
openssl s_client -starttls stmp -connect 192.0.2.1:25
where 192.0.2.1 is replaced by the IP address of your SMTP server.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
