On Sun, Jan 09, 2011 at 10:39:49PM +0000, IT geek 31 wrote:
> My understanding is to prevent these errors, you obtain the root
> certificate for each server mail certificate your Postfix server
> connects to, append it to a pem file and reference it with
> smtp_tls_CAfile in main.conf.
Not worth it, you just ignore these errors. Their purpose is to enable
you to figure out why a connection that wants to "verify" certs failed,
by reading the logs. Almost nobody verifies TLS certs with email, so
the logging is harmless noise.
My own configuration of Postfix does not log certificate verification
errors for connections where certificate trust chain based authentication
is not performed ("may", "encrypt" or "fingerprint" security levels).
I'll see whether there is interest in adopting the "fine-grained" TLS
logging code in 2.9. This changes the 4 TLS log levels to a list of
features to log or not log, with 1,2,3,4 aliases for the feature lists
that correspond to the legacy levels. Last time I showed this to Wietse
in the 2.3/2.4 time-frame, there were too many other TLS features changing,
and IIRC the feature looked like overkill for most users...
The feature list is below. The recommended loglevel is "summary".
Once again, this is not in the official Postfix release, just code
that may or may not get adopted some day...
none
Same as the empty setting, log only handshake failures,
success is silent.
summary
Log summary message on TLS handshake completion.
untrusted
Log all trust chain validation errors, even with sessions that
don't care whether the server certificate is trusted.
verbose
Log verbose peer certificate and status information. This sub-
sumes "untrusted" and "summary".
cache Log TLS session cache activity.
certmatch
Log all names found in the server certificate, even any ignored
CommonName after finding subjectAltNames or any further subjec-
tAltnames found after a matching name. With each name log
whether it meets the matching criteria for the current security
level. At the "fingerprint" security level, log matching of the
server certificate fingerprint. This also turns on "untrusted"
and "summary".
debug Log detailed step-by-step TLS handshake progress this subsumes
"untrusted", "summary", "verbose" and "cache". For debugging
only, not suitable for every-day use.
handshake-packet-dump
Same as "debug", plus hexadecimal and ASCII dump of the TLS
negotiation process is logged. Expert use only.
session-packet-dump
Same as "debug", plus hexadecimal and ASCII dump of complete
transmission after STARTTLS is logged. Expert use only.
0 Same as "untrusted". Backwards compatible with Postfix prior to
2.6.
1 Same as "0", plus "summary".
2 Same as "debug".
3 Same as "handshake-packet-dump".
4 Same as "session-packet-dump".
--
Viktor.
