On Wed, Aug 25, 2010 at 05:59:10AM -0700, Security Admin (NetSec) wrote:
> "postfix/smtp[28338]: certificate verification failed
> for mail.xxxxx.org[xxx.xxx.xxx.xxx]:25: untrusted issuer
> /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
> liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
> Certification Authority"
This public root CA is not listed in your smtp_tls_CAfile or smtp_tls_CApath.
> Mail is still sent despite warning. Suspect that problem is either:
Opportunistic TLS works as advertised.
> 1. Using a self-signed certificate and need to purchase one to use
> with mail server. If this is the case, would appreciate
> recommendations/weblinks on good places to purchase.
Irrelevant. The certificate in question is on a remote server, not yours.
> 2. Configuration error. Partial main.cf is below:
>
> smtpd_use_tls = yes
> smtp_use_tls = yes
Obsolete, use "smtp_tls_security_level" and "smtpd_tls_security_level".
> smtp_tls_security_level = may
Good, you don't need the obsolete "smtp_use_tls" setting.
> smtp_tls_CAfile = /etc/postfix/exchange.pem
You can list more CAs in this file if you wish.
> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
Fine.
> smtpd_tls_mandatory_ciphers = high
This is unlikely to have any effect, unless you have a submission service
defined in master.cf.
> smtpd_tls_loglevel = 2
Too verbose for production use.
> smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
> smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
Clearly, only one of these is used, specifically the last. Drop the needless
sdbm setting.
--
Viktor.
