Hi
Recovering this thread Im configuring the CA certificates to validate
the smarthost used to filter spam. At now the connection works but
appears the message
status=deferred (Server certificate not verified)
I was looking all the information about it in howots, and seems that the
problem is when my server exchanges credentials with smarthost. It seems
that not recognizes the CA certificates from destination, and Im with
two questions
-What file is looking for smtp_tls_CApath=/certs, all? (Im refering the
name of file), needs to use a special name? At now for recomedation of
you and using howto of postfix I change this to
smtp_tls_CApath = /var/spool/postfix/certs
smtpd_tls_CApath = /var/spool/postfix/certs
And now I don't know If I need to do something more to accept connection
when sends to this smarthost, ideas?
Best Regards
El 08/02/13 20:07, deco...@riseup.net escribió:
>
> Hi list
>
> At now Im configuring the TLS function in my postfix 2.5.5 and Im
> having a new problem.
>
> First was that said untrusted issuer because not detect the
> certificates. At now the message every time you sends is
>
> status=deferred (Server certificate not verified)
>
> I was configuring using a howto that says to do
>
> ---------------------
> mkdir /var/spool/postfix/certs
> cp -R /etc/ssl/certs/* /var/spool/postfix/certs
> mkdir -p /var/spool/postfix/usr/share/ca-certificates
> cp -R /usr/share/ca-certificates
> /var/spool/postfix/usr/share/ca-certificates
>
> Then, in main.cf, change the smtp_tls_security_level line and add an
> smtp_tls_CApath line as follows:
>
> smtp_tls_security_level=verify
> smtp_tls_CApath=/certs
>
> -----------------
>
> And now the postconf for help:
>
> default_transport = smtp
> lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
> non_smtpd_milters =
> parent_domain_matches_subdomains =
> debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
> proxy_read_maps = $local_recipient_maps $mydestination
> $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
> $virtual_mailbox_domains $relay_recipient_maps $relay_domains
> $canonical_maps $sender_canonical_maps $recipient_canonical_maps
> $relocated_maps $transport_maps $mynetworks $sender_bcc_maps
> $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
> proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
> relayhost = smtp.puc.mysmarthost.es
> smtp_always_send_ehlo = yes
> smtp_bind_address =
> smtp_bind_address6 =
> smtp_body_checks =
> smtp_cname_overrides_servername = no
> smtp_connect_timeout = 30s
> smtp_connection_cache_destinations =
> smtp_connection_cache_on_demand = yes
> smtp_connection_cache_time_limit = 2s
> smtp_connection_reuse_time_limit = 300s
> smtp_data_done_timeout = 600s
> smtp_data_init_timeout = 120s
> smtp_data_xfer_timeout = 180s
> smtp_defer_if_no_mx_address_found = no
> smtp_destination_concurrency_failed_cohort_limit =
> $default_destination_concurrency_failed_cohort_limit
> smtp_destination_concurrency_limit =
> $default_destination_concurrency_limit
> smtp_destination_concurrency_negative_feedback =
> $default_destination_concurrency_negative_feedback
> smtp_destination_concurrency_positive_feedback =
> $default_destination_concurrency_positive_feedback
> smtp_destination_rate_delay = $default_destination_rate_delay
> smtp_destination_recipient_limit = $default_destination_recipient_limit
> smtp_discard_ehlo_keyword_address_maps =
> smtp_discard_ehlo_keywords =
> smtp_enforce_tls = no
> smtp_fallback_relay = $fallback_relay
> smtp_generic_maps =
> smtp_header_checks =
> smtp_helo_name = $myhostname
> smtp_helo_timeout = 300s
> smtp_host_lookup = dns
> smtp_initial_destination_concurrency = $initial_destination_concurrency
> smtp_line_length_limit = 990
> smtp_mail_timeout = 300s
> smtp_mime_header_checks =
> smtp_mx_address_limit = 5
> smtp_mx_session_limit = 2
> smtp_nested_header_checks =
> smtp_never_send_ehlo = no
> smtp_pix_workaround_delay_time = 10s
> smtp_pix_workaround_maps =
> smtp_pix_workaround_threshold_time = 500s
> smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
> smtp_quit_timeout = 300s
> smtp_quote_rfc821_envelope = yes
> smtp_randomize_addresses = yes
> smtp_rcpt_timeout = 300s
> smtp_rset_timeout = 20s
> smtp_sasl_auth_cache_name =
> smtp_sasl_auth_cache_time = 90d
> smtp_sasl_auth_enable = no
> smtp_sasl_auth_soft_bounce = yes
> smtp_sasl_mechanism_filter =
> smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
> smtp_sasl_path =
> smtp_sasl_security_options = noanonymous
> smtp_sasl_tls_security_options = $smtp_sasl_security_options
> smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
> smtp_sasl_type = cyrus
> smtp_send_xforward_command = no
> smtp_sender_dependent_authentication = no
> smtp_skip_5xx_greeting = yes
> smtp_skip_quit_response = yes
> smtp_starttls_timeout = 300s
> smtp_tls_CAfile =
> smtp_tls_CApath = /certs
> smtp_tls_cert_file =
> smtp_tls_dcert_file =
> smtp_tls_dkey_file = $smtp_tls_dcert_file
> smtp_tls_enforce_peername = yes
> smtp_tls_exclude_ciphers =
> smtp_tls_fingerprint_cert_match =
> smtp_tls_fingerprint_digest = md5
> smtp_tls_key_file = $smtp_tls_cert_file
> smtp_tls_loglevel = 0
> smtp_tls_mandatory_ciphers = medium
> smtp_tls_mandatory_exclude_ciphers =
> smtp_tls_mandatory_protocols = SSLv3, TLSv1
> smtp_tls_note_starttls_offer = yes
> smtp_tls_per_site =
> smtp_tls_policy_maps =
> smtp_tls_scert_verifydepth = 9
> smtp_tls_secure_cert_match = nexthop, dot-nexthop
> smtp_tls_security_level = verify
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_tls_session_cache_timeout = 3600s
> smtp_tls_verify_cert_match = hostname
> smtp_use_tls = yes
> smtp_xforward_timeout = 300s
> smtpd_authorized_verp_clients = $authorized_verp_clients
> smtpd_authorized_xclient_hosts =
> smtpd_authorized_xforward_hosts =
> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> smtpd_client_connection_count_limit = 50
> smtpd_client_connection_rate_limit = 0
> smtpd_client_event_limit_exceptions =
> ${smtpd_client_connection_limit_exceptions:$mynetworks}
> smtpd_client_message_rate_limit = 0
> smtpd_client_new_tls_session_rate_limit = 0
> smtpd_client_port_logging = no
> smtpd_client_recipient_rate_limit = 0
> smtpd_client_restrictions =
> smtpd_data_restrictions =
> smtpd_delay_open_until_valid_rcpt = yes
> smtpd_delay_reject = yes
> smtpd_discard_ehlo_keyword_address_maps =
> smtpd_discard_ehlo_keywords =
> smtpd_end_of_data_restrictions =
> smtpd_enforce_tls = no
> smtpd_error_sleep_time = 1s
> smtpd_etrn_restrictions =
> smtpd_expansion_filter =
> \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
> smtpd_forbidden_commands = CONNECT GET POST
> smtpd_hard_error_limit = 20
> smtpd_helo_required = no
> smtpd_helo_restrictions =
> smtpd_history_flush_threshold = 100
> smtpd_junk_command_limit = 100
> smtpd_milters =
> smtpd_noop_commands =
> smtpd_null_access_lookup_key = <>
> smtpd_peername_lookup = yes
> smtpd_policy_service_max_idle = 300s
> smtpd_policy_service_max_ttl = 1000s
> smtpd_policy_service_timeout = 100s
> smtpd_proxy_ehlo = $myhostname
> smtpd_proxy_filter =
> smtpd_proxy_timeout = 100s
> smtpd_recipient_limit = 1000
> smtpd_recipient_overshoot_limit = 1000
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks reject_unauth_destination
> smtpd_reject_unlisted_recipient = yes
> smtpd_reject_unlisted_sender = no
> smtpd_restriction_classes =
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_exceptions_networks =
> smtpd_sasl_local_domain =
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
> smtpd_sasl_type = dovecot
> smtpd_sender_login_maps = ldap:/etc/postfix/ldap_aliases.cf
> smtpd_sender_restrictions =
> smtpd_soft_error_limit = 10
> smtpd_starttls_timeout = 300s
> smtpd_timeout = 300s
> smtpd_tls_CAfile = /etc/ssl/TERENASSL_PATH.pem
> smtpd_tls_CApath =
> smtpd_tls_always_issue_session_ids = yes
> smtpd_tls_ask_ccert = no
> smtpd_tls_auth_only = no
> smtpd_tls_ccert_verifydepth = 9
> smtpd_tls_cert_file = /etc/ssl/myserver.crt
> smtpd_tls_dcert_file =
> smtpd_tls_dh1024_param_file =
> smtpd_tls_dh512_param_file =
> smtpd_tls_dkey_file = $smtpd_tls_dcert_file
> smtpd_tls_exclude_ciphers =
> smtpd_tls_fingerprint_digest = md5
> smtpd_tls_key_file = /etc/ssl/private/jupiter_myserver.pem
> smtpd_tls_loglevel = 2
> smtpd_tls_mandatory_ciphers = medium
> smtpd_tls_mandatory_exclude_ciphers =
> smtpd_tls_mandatory_protocols = SSLv3, TLSv1
> smtpd_tls_received_header = yes
> smtpd_tls_req_ccert = no
> smtpd_tls_security_level =
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_tls_wrappermode = no
> smtpd_use_tls = yes
>
>
> Please is critical to solve this problem, all messages are being
> deferred!!!
>
> THanks
>
