Hello, I'm having some trouble getting a Comodo PositiveSSL certificate to work correctly with Postfix 2.7.0.
I've attempted to follow the instructions at http://www.postfix.org/postconf.5.html#smtpd_tls_cert_file : "You should include the required certificates in the server certificate file, the server certificate first, then the issuing CA(s) (bottom-up order)." The CA and root information that Comodo provides for PositiveSSL certificates is as follows ( https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1182 ): PositiveSSL » Root: AddTrustExternalCARoot.crt » Intermediate: PositiveSSLCA2.crt » End-Entity/Domain Certificate I created the certificate with the following command: $ cat example_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > /root/ssl/example.com.pem Then I added the following to main.cf: # TLS parameters smtpd_tls_cert_file = /root/ssl/example.com.pem smtpd_tls_key_file = /root/ssl/example.com.key smtpd_use_tls = yes But when I attempt to verify the certificate chain, I always receive "19:self signed certificate in certificate chain". $ openssl s_client -connect example.com:25 -starttls smtp CONNECTED(00000003) depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=example.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2 i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- ... What might the problem be? Isn't the last certificate in the chain *supposed to be* self-signed? I thought that perhaps the client machine from which I am attempting to verify the certificate may lack the AddTrust certificate (#2 in the chain), but when I tried installing it, the certificate was recognized as a duplicate (i.e., it is already installed): # cp AddTrustExternalCARoot.crt /usr/local/share/ca-certificates/AddTrustExternalCARoot.crt # update-ca-certificates Updating certificates in /etc/ssl/certs... WARNING: Skipping duplicate certificate AddTrustExternalCARoot.crt WARNING: Skipping duplicate certificate AddTrustExternalCARoot.crt 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. I'm not sure what to try next. I must be missing something simple... For privacy reasons, I have omitted it here, but I'll provide the sanitized output of "postconf -n" if it would be helpful; just ask. Thanks for any help with this! -Ben
