* Neil Aggarwal <n...@jammconsulting.com>: > Hello: > > I created a certificate for my mail server using the StartSSL service > located > at http://www.startssl.com/ > > I set these lines in my main.cf (I already set up dovecot): > > # Rules for smtp auth > smtpd_sasl_type = dovecot > smtpd_sasl_path = private/auth > smtpd_sasl_auth_enable = yes > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, > reject_unauth_destination > > # Enable SMTP TLS > smtpd_tls_cert_file = /etc/ssl/mail.nsa-lp.com.crt > smtpd_tls_key_file = /etc/ssl/mail.nsa-lp.com.key > smtpd_tls_CAfile = /etc/ssl/ca-bundle.cer > smtpd_tls_security_level = may > smtpd_tls_auth_only = yes > > I went to a remote server and tried to send an email manually. > > I connected to the server using this command: > openssl s_client -connect mail.nsa-lp.com:25 -starttls smtp > > I get this output: > CONNECTED(00000003) > depth=3 /C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2 > verify error:num=19:self signed certificate in certificate chain > verify return:0 > It then prints the chain, the certificate, and some other info followed by > this: > 250 DSN > > So, it looks like postfix thinks the certificate is self signed. It does > not recognize the CA. > That is a bit strange, but it gives me the 250 code which says things should > be ok
The 250 is a SMTP reply unrelated to the fact that your test can't verify the certificate. Try this command to see a verification output that enables s_client to look up the CA, which signed your certificate: openssl s_client -connect mail.nsa-lp.com:25 -starttls smtp -CAfile /etc/ssl/ca-bundle.cer > to move forward. > > I then issue this command: ehlo jammconsulting.com > I get this response: > 250-mail.nsa-lp.com > 250-PIPELINING > 250-SIZE 10240000 > 250-VRFY > 250-ETRN > 250-AUTH PLAIN > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > > Then, I authenticate to the server: auth plain [Base64 encoded auth] > I get back: > 235 2.7.0 Authentication successful > > I type: MAIL FROM:<n...@jammconsulting.com> > I get back: > 250 2.1.0 Ok > > Then, when I type: RCPT TO:<neilagg2...@yahoo.com> > I get this back: > RENEGOTIATING > depth=3 /C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2 > verify error:num=19:self signed certificate in certificate chain > verify return:0 > > If I type: DATA > I get: > 554 5.5.1 Error: no valid recipients > > It looks like postfix does not allow me to specify a recipient as long as it > thinks the certificate is self-signed. You mix error output from the openssl s_client with things that go wrong on the server side. Try the openssl command I showed above and see if s_client still complains about a "self signed certificate in certificate chain". On a sidenote: s_client states the cert itself is okay: "verify return:0" > How do I get Postfix to recognize this certificate as a CA signed > certificate? The SMTP server is dispassionate about your certificates state. It simply sends it. It's the client that complains, because it has to decide whether it is willing to accept what the server sends or not. p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
