On 10/21/2013 7:55 AM, Tobias Reckhard wrote: > Hello > > In configuring a postfix 2.7.0 (on Ubuntu 10.04 LTS) for mandatory TLS > to a couple of domains, I'm running into the following oddity when > sending e-mail to the UniCredit servers: > > Oct 21 08:43:58 <hostname> postfix/smtp[5991]: CA certificate > verification failed for mx10.unicredit.eu[62.122.80.93]:25: > num=7:certificate signature failure > > This appears to be an OpenSSL error, at least I can find a similar error > message on https://www.openssl.org/docs/apps/verify.html. However, I do > not know what the actual problem is. The certificates presented by the > MX hosts of unicreditgroup.eu (that answer) are somewhat problematic in > that they are all completely identical and feature a CN of > mucimgcc.internal.unicreditgroup.eu and no SubjectAltNames, which does > not resemble the MX records. However, I'm not sure if that is the cause > of the verification failure. > > If I store mx10's certificate to a file and the intermediary as well as > the root CA certificate to /etc/postfix/cacerts (and create the > necessary symlinks there with c_rehash), I can successfully use "openssl > verify -CApath /etc/postfix/cacerts mx10.unicredit.eu.cert.pem" to > verify it (result: mx10.unicredit.eu.cert.pem: OK) > > Can anyone offer any insights on this topic? I'm a bit puzzled. > > Regards, > Tobias >
Looks as if they use a private root CA. Probably the easiest fix is to use "fingerprint" verification. See: http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps -- Noel Jones
