Trouble using StartSSL certificate for tls

Fri, 22 Jun 2012 22:18:20 -0700 

Hello:

I created a certificate for my mail server using the StartSSL service
located
at http://www.startssl.com/

I set these lines in my main.cf (I already set up dovecot):

# Rules for smtp auth
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =  permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination
 
# Enable SMTP TLS
smtpd_tls_cert_file = /etc/ssl/mail.nsa-lp.com.crt
smtpd_tls_key_file = /etc/ssl/mail.nsa-lp.com.key
smtpd_tls_CAfile = /etc/ssl/ca-bundle.cer
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes

I went to a remote server and tried to send an email manually.

I connected to the server using this command:
openssl s_client -connect mail.nsa-lp.com:25 -starttls smtp

I get this output:
CONNECTED(00000003)
depth=3 /C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2
verify error:num=19:self signed certificate in certificate chain
verify return:0
It then prints the chain, the certificate, and some other info followed by
this:
250 DSN

So, it looks like postfix thinks the certificate is self signed.  It does
not recognize the CA.
That is a bit strange, but it gives me the 250 code which says things should
be ok
to move forward.

I then issue this command: ehlo jammconsulting.com
I get this response:
250-mail.nsa-lp.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Then, I authenticate to the server: auth plain [Base64 encoded auth]
I get back:
235 2.7.0 Authentication successful

I type: MAIL FROM:<n...@jammconsulting.com>
I get back:
250 2.1.0 Ok

Then, when I type: RCPT TO:<neilagg2...@yahoo.com>
I get this back:
RENEGOTIATING
depth=3 /C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2
verify error:num=19:self signed certificate in certificate chain
verify return:0

If I type: DATA
I get:
554 5.5.1 Error: no valid recipients

It looks like postfix does not allow me to specify a recipient as long as it
thinks
the certificate is self-signed.

How do I get Postfix to recognize this certificate as a CA signed
certificate?

Thanks,
  Neil

--
Neil Aggarwal, (972)834-1565, http://UnmeteredVPS.net/centos
Virtual private server with CentOS 6 preinstalled
Unmetered bandwidth = no overage charges

Reply via email to