On Wed, Oct 19, 2011 at 04:50:08PM +0200, eu...@mail2.infochem.de wrote:
> > In this case certificate is not signed by Thawte, but it's
> > self-signed. Check if smtpd_tls_cert_file and smtpd_tls_key_file
> > options are pointing to the correct certificate/key.
>
> Thanks, Kamil, that was indeed the culprit -- these did point
> to stock Debian snake oil certs. Should be fixed now.
Not entirely, you configured only the leaf server cert, and did
not also configure the intermediate CA cert (which should be appended
to your cert.pem file).
The issuer: /C=US/O=Thawte, Inc./CN=Thawte SSL CA
is not a root CA. Probably the missing intermediate is something like:
http://ait.its.psu.edu/services/identity-access-management/identity/webaccess/Thawte-SSL-CA.txt
Here's what I see:
$ openssl s_client -starttls smtp -showcerts -connect mail2.infochem.de:25
depth=0 C = DE, ST = Bayern, L = Muenchen, O = InfoChem Gesellschaft fuer
chemische Information mbH, CN = *.infochem.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = Bayern, L = Muenchen, O = InfoChem Gesellschaft fuer
chemische Information mbH, CN = *.infochem.de
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = DE, ST = Bayern, L = Muenchen, O = InfoChem Gesellschaft fuer
chemische Information mbH, CN = *.infochem.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=DE/ST=Bayern/L=Muenchen/O=InfoChem Gesellschaft fuer chemische
Information mbH/CN=*.infochem.de
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIQTpsvOpahvRBTxcfA7z9rxDANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTEwMTIxMzAwMDAwMFoXDTEyMTIxMjIzNTk1OVowgYgx
CzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xETAPBgNVBAcUCE11ZW5jaGVu
MT0wOwYDVQQKFDRJbmZvQ2hlbSBHZXNlbGxzY2hhZnQgZnVlciBjaGVtaXNjaGUg
SW5mb3JtYXRpb24gbWJIMRYwFAYDVQQDFA0qLmluZm9jaGVtLmRlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAthrw6kB91Kvfd9e26NSKM5euPpO7pCgV
BwOYBT3wxr1pnUGndzb8dXsFEFEsFhQNoLbVhCsIbpWiuNeDr3bljSom03jhpJ+K
MFDwB0Fd/7Ba6IezNwmqQnhTRGjI1rRkYBwwmybVZ3dYaUzVyQ6MctDJgiMGFXOg
62lKPUidL2llplv3P0vZWl8/9S4z5CGSVXvXBPE/d2k/J3LDG+Js294fCJCklXOJ
67LG8ZLDRbRQu3rsXmVcF7AGK7RsC0vYq6X6BF6IbO59DY3XJxoiHq4ZxLyqTcyO
x7MKDRGuIt715qOiHK5dDSx9Qh8Hi+Mkzf1xFgDz3a0OyXsRIXsr3QIDAQABo4Gg
MIGdMAwGA1UdEwEB/wQCMAAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL3N2ci1v
di1jcmwudGhhd3RlLmNvbS9UaGF3dGVPVi5jcmwwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov
L29jc3AudGhhd3RlLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEATDOHEzuuHq629yAr
EtwaeMyVy12s9hIkgRmlnXL3X5E7uzUqTf+6uehTIi6Ri7s2oS8OpP0oLAp/OC8l
4e8KhVPe+RUObgiLp1HQpZoNXQCMGpOx1FrXJ6sN/XBllPfIaHpUGmM7CabGEgYu
ATnt8hI4tzpgcnxzJmg9ipiGznsFS4HwqJN+p4+WM4L24OIsIxwT90t70MzVgxsf
CcQvkpkUSzA1jcCzjUBzZqB55s0NlEdhojS5dAdMqZGS4ZrtqGvIXT+0ajDoLexp
Gkxw7Q7F9K4fsJCGRPVdM3/MNE3DRLY/4EQ7EFLfr8e8HR1PzAryiEKMkJHcZUM9
6N0dCg==
-----END CERTIFICATE-----
--
Viktor.
