Issues with tls_append_default_CA and *_tls_CApath

Sun, 19 Feb 2012 05:52:27 -0800 

Hello,
I have an Ubuntu server with Postfix 2.8.2 on it. Looks like tls_append_default_CA has no effect on it. 


When I send emails to Gmail I get message about failed certificate  
verification. There're many articles on solving this issue. The ones that  
I saw suggest suboptimal approach of adding Equifax CA certificate to your  
own CA certificate file [1]. I want to solve the issue in a better way.



First of all, Ubuntu ships Equifax_Secure_CA.pem and it's present in  
/etc/ssl/certs/. When I set 'smtp_tls_CAfile =  
/etc/ssl/certs/Equifax_Secure_CA.pem' [2] I get no verification errors, so  
I suppose the certificate is fine. But that will only fix errors for Gmail  
and other users of Equifax-signed certificates.



I want to use a more generic approach, so I unset smtp_tls_CAfile and set  
'smtp_tls_CApath = /etc/ssl/certs' [3] and 'smtpd_tls_CApath =  
/etc/ssl/certs' [4]. In that configuration I see verification errors.



Documentation on [3] and [4] mentions tls_append_default_CA setting which  
defaults to 'no'[5]. I set 'tls_append_default_CA = yes'. In that  
configuration I see verification errors.



I unset smtp_tls_CApath and smtpd_tls_CApath. The only option about CA  
certificates is tls_append_default_CA now. In that configuration I see  
verification errors.



I set 'smtp_tls_CAfile = /etc/ssl/certs/cacert.pem' in addition to  
'tls_append_default_CA = yes'. In that configuration I see verification  
errors.



Documentation for tls_append_default_CA says: "Append the system-supplied  
default certificate authority certificates to the ones specified with  
*_tls_CApath or *_tls_CAfile." I suppose that certificates in  
/etc/ssl/certs are system-supplied default certificate authority  
certificates. Apparently those are not added to *_tls_CApath or  
*_tls_CAfile.


What might be the cause of that issue? Is this a bug in Postfix?


[1]  
http://stevejenkins.com/blog/2011/06/fixing-postfix-certificate-verification-failed-for-gmail-untrusted-issuer-error-message/

[2] http://www.postfix.org/postconf.5.html#smtp_tls_CAfile
[3] http://www.postfix.org/postconf.5.html#smtp_tls_CApath
[4] http://www.postfix.org/postconf.5.html#smtpd_tls_CApath
[5] http://www.postfix.org/postconf.5.html#tls_append_default_CA

--
Regards, Artemy






















					Reply via email to