Try copying the contents of the chain certificates `sub.class1.server.ca.pem` then `ca.pem` to the contents of your public certificate, from depth to root.
2012/6/23 Patrick Ben Koetter <p...@state-of-mind.de>: > * Neil Aggarwal <n...@jammconsulting.com>: >> Hello: >> >> I created a certificate for my mail server using the StartSSL service >> located >> at http://www.startssl.com/ >> >> I set these lines in my main.cf (I already set up dovecot): >> >> # Rules for smtp auth >> smtpd_sasl_type = dovecot >> smtpd_sasl_path = private/auth >> smtpd_sasl_auth_enable = yes >> smtpd_recipient_restrictions = permit_mynetworks, >> permit_sasl_authenticated, >> reject_unauth_destination >> >> # Enable SMTP TLS >> smtpd_tls_cert_file = /etc/ssl/mail.nsa-lp.com.crt >> smtpd_tls_key_file = /etc/ssl/mail.nsa-lp.com.key >> smtpd_tls_CAfile = /etc/ssl/ca-bundle.cer >> smtpd_tls_security_level = may >> smtpd_tls_auth_only = yes >> >> I went to a remote server and tried to send an email manually. >> >> I connected to the server using this command: >> openssl s_client -connect mail.nsa-lp.com:25 -starttls smtp >> >> I get this output: >> CONNECTED(00000003) >> depth=3 /C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2 >> verify error:num=19:self signed certificate in certificate chain >> verify return:0 >> It then prints the chain, the certificate, and some other info followed by >> this: >> 250 DSN >> >> So, it looks like postfix thinks the certificate is self signed. It does >> not recognize the CA. >> That is a bit strange, but it gives me the 250 code which says things should >> be ok > > The 250 is a SMTP reply unrelated to the fact that your test can't verify the > certificate. Try this command to see a verification output that enables > s_client to look up the CA, which signed your certificate: > > openssl s_client -connect mail.nsa-lp.com:25 -starttls smtp -CAfile > /etc/ssl/ca-bundle.cer > >> to move forward. >> >> I then issue this command: ehlo jammconsulting.com >> I get this response: >> 250-mail.nsa-lp.com >> 250-PIPELINING >> 250-SIZE 10240000 >> 250-VRFY >> 250-ETRN >> 250-AUTH PLAIN >> 250-ENHANCEDSTATUSCODES >> 250-8BITMIME >> 250 DSN >> >> Then, I authenticate to the server: auth plain [Base64 encoded auth] >> I get back: >> 235 2.7.0 Authentication successful >> >> I type: MAIL FROM:<n...@jammconsulting.com> >> I get back: >> 250 2.1.0 Ok >> >> Then, when I type: RCPT TO:<neilagg2...@yahoo.com> >> I get this back: >> RENEGOTIATING >> depth=3 /C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2 >> verify error:num=19:self signed certificate in certificate chain >> verify return:0 >> >> If I type: DATA >> I get: >> 554 5.5.1 Error: no valid recipients >> >> It looks like postfix does not allow me to specify a recipient as long as it >> thinks the certificate is self-signed. > > You mix error output from the openssl s_client with things that go wrong on > the server side. > > Try the openssl command I showed above and see if s_client still complains > about a "self signed certificate in certificate chain". On a sidenote: > s_client states the cert itself is okay: "verify return:0" > >> How do I get Postfix to recognize this certificate as a CA signed >> certificate? > > The SMTP server is dispassionate about your certificates state. It simply > sends it. It's the client that complains, because it has to decide whether it > is willing to accept what the server sends or not. > > p@rick > > -- > All technical questions asked privately will be automatically answered on the > list and archived for public access unless privacy is explicitely required and > justified. > > saslfinger (debugging SMTP AUTH): > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
