Hi Viktor, Thanks, that seems to have worked. Now for the next layer of the onion. Do I just keep appending root certificates to that same file or does each certificate have to be set up separately somehow?
On Jan 6, 2010, at 10:09 AM, Victor Duchovni wrote: > On Wed, Jan 06, 2010 at 10:00:37AM -0500, Dennis Putnam wrote: > >> I am using CACert as my signing authority. I have included their root >> certificate in my main.cf: >> >> smtpd_tls_CAfile = /etc/postfix/ssl/root.crt > > This is for verifying client certificates when clients connect > to your SMTP server. > >> However, I get this error when it tries to set up a TLS connection: >> >> postfix/smtp[5298]: certificate verification failed for >> xserveoda.aimaudit.com[70.158.194.7]:25: untrusted issuer /O=Root >> CA/OU=http://www.cacert.org/CN=CA Cert Signing >> Authority/emailaddress=supp...@cacert.org >> > > This is your SMTP client sending to remote servers. Consider adding this > certificate to: > > smtp_tls_CAfile = /some/file/with/all/trusted/ca/certs.pem > > OR > > smtp_tls_CApath = /some/directory/with/all/trusted/ca/certs/ > > In the latter case, you need to run the "c_rehash" utility from OpenSSL, > to re-index the directory when it is updated. Note that c_rehash is > not atomic, and may temporarily disrupt verification while it is > running, so if you use the "secure" or "verify" tls levels, you > want to stop your MTA before running c_rehash, or run c_rehash > in new directory, and atomically update a symlink to cut-over to > the new certificate set. > > I have as yet been too lazy to contribute a more robust c_rehash > to the OpenSSL project. Sorry about that... :-( > > -- > Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. > Dennis Putnam Sr. IT Systems Administrator AIM Systems, Inc. 11675 Rainwater Dr., Suite 200 Alpharetta, GA 30009 Phone: 678-240-4112 Main Phone: 678-297-0700 FAX: 678-297-2666 or 770-576-1000 The information contained in this e-mail and any attachments is strictly confidential. If you are not the intended recipient, any use, dissemination, distribution, or duplication of any part of this e-mail or any attachment is prohibited. If you are not the intended recipient, please notify the sender by return e-mail and delete all copies, including the attachments.
