Wietse Venema wrote:
sean darcy:
Wietse Venema wrote:
sean darcy:
Wietse Venema wrote:
sean darcy:
Sep 13 16:00:19 asterisk postfix/smtp[1786]: warning: TLS library
problem: 1786:error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch:x509_cmp.c:304:
Does the client private key match the client (public key) certificate?
See the Postfix TLS_README for an example of how to create these.
Wietse
It doesn't seem to need to match. But reading TLS_README realllly
closely solved it.
Counter-intuitively -at least for me - you set up all the files for
smtpd_tls... That is, you set them up as if you're a server.
That configures the certificates for the Postfix SMTP server.
You won't be using any certificates in the SMTP client.
Wietse
Right, which is puzzling. I would have assumed I was the client to the
gmail server. Why setting the certificates up as a server works makes no
sense to me, but it does work.
You can delete all the SERVER TLS settings.
They have no effect on SENDING mail, period.
Wietse
Wow. You're absolutely right. Here's main.cf:
relayhost = [smtp.gmail.com]:587
smtp_connection_cache_destinations = smtp.gmail.com
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_tls_security_options = noanonymous
tls_random_source = dev:/dev/urandom
smtp_tls_CAfile=/etc/pki/CA/cacert.pem
smtp_tls_security_level = may
smtp_tls_scert_verifydepth = 9
This is way simpler than any of the howto's for gmail relay access. Or
the TLS_README.
It's weird how everyone make this so complicated.
sean
