On Sun, Feb 10, 2013 at 01:46:59PM +0100, deconya wrote:
> status=deferred (Server certificate not verified)
>
> I was looking all the information about it in howots, and seems that the
> problem is when my server exchanges credentials with smarthost. It seems
> that not recognizes the CA certificates from destination, and Im with
> two questions
>
> -What file is looking for smtp_tls_CApath=/certs, all? (Im refering the
> name of file), needs to use a special name? At now for recomedation of
> you and using howto of postfix I change this to
Configuring CApath is a lot more complicated than setting up a CAfile.
When you have exactly one root CA to verify (the one used by the ISP's
relay) there is little benefit in managing a "herd" (choose your
favourite collective noun) of certificates via CApath.
> smtp_tls_CApath = /var/spool/postfix/certs
> smtpd_tls_CApath = /var/spool/postfix/certs
Instead:
/etc/postfix/main.cf:
# Empty
smtpd_tls_CApath =
smtpd_tls_CAfile =
smtp_tls_CApath =
# Copy PEM format root CA cert into this file
smtp_tls_CAfile = ${config_directory}/smtp_CAfile
/etc/postfix/smtp_CAfile:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Obtain the root CA certificate for the relay's smtp server in PEM
format (base64-encoded text between -----BEGIN, -----END line pairs)
from a trusted source and copy it into the CA file. Verify that
the file is well-formed by running:
openssl x509 -in /etc/postfix/smtp_CAfile -noout \
-subject -issuer -dates -sha1 -fingerprint
This must produce no errors and report the DN of the expected root
CA as both subject and issuer. The certificate must not be expired,
and typically is valid for 10-20 years. You can usually "google"
the sha1 fingerprint to find various online copies of the same CA
certificate.
You can store multiple trusted roots in a single CAfile, just
concatenate individual files with PEM format trusted root CA certs.
--
Viktor.
