Artemy Tregubenko:
[ Charset UTF-8 unsupported, converting... ]
> Hello,
>
> I have an Ubuntu server with Postfix 2.8.2 on it. Looks like
> tls_append_default_CA has no effect on it.
>
> When I send emails to Gmail I get message about failed certificate
> verification. There're many articles on solving this issue. The ones that
> I saw suggest suboptimal approach of adding Equifax CA certificate to your
> own CA certificate file [1]. I want to solve the issue in a better way.
>
> First of all, Ubuntu ships Equifax_Secure_CA.pem and it's present in
> /etc/ssl/certs/. When I set 'smtp_tls_CAfile =
> /etc/ssl/certs/Equifax_Secure_CA.pem' [2] I get no verification errors, so
> I suppose the certificate is fine. But that will only fix errors for Gmail
> and other users of Equifax-signed certificates.
>
> I want to use a more generic approach, so I unset smtp_tls_CAfile and set
> 'smtp_tls_CApath = /etc/ssl/certs' [3] and 'smtpd_tls_CApath =
> /etc/ssl/certs' [4]. In that configuration I see verification errors.
>
> Documentation on [3] and [4] mentions tls_append_default_CA setting which
> defaults to 'no'[5]. I set 'tls_append_default_CA = yes'. In that
> configuration I see verification errors.
Therefore, the Equifax certificate wasn't found with 'smtp_tls_CApath
= /etc/ssl/certs'. For CApath to work, you need to run a program
that sets up the necessary symlinks (named after a certificate hash)
that allow the OpenSSL library to find the corresponding certificate
files.
To investigate, you can strace the SMTP daemon (see DEBUG_README.html)
and see what system calls fail. That will also show whether you
correctly followed instructions to turn of the chroot feature.
Wietse
