Did you try "file /etc/ssl/zbfmail-cert/2013/mail.server.de.intermediate. crt"? May be you will be surprised by the results... :-)
Fernando On Wed, Jan 29, 2014 at 12:21 PM, nano <nano...@bsdbox.co> wrote: > On 30/01/2014 12:51 AM, Marko Weber | ZBF wrote: > >> >> hello, >> viktor or any other. >> >> in the postfix tls readme:" In order to use TLS, the Postfix SMTP server >> generally needs a certificate and a private key. Both must be in "PEM" >> format. " >> >> i have setup this way in my main.cf: >> >> smtpd_tls_CAfile = >> /etc/ssl/zbfmail-cert/2013/mail.server.de.intermediate.crt >> smtpd_tls_cert_file = >> /etc/ssl/zbfmail-cert/2013/mail.server.de.crt >> smtpd_tls_key_file = >> /etc/ssl/zbfmail-cert/2013/mail.zbfmail.de.key >> >> it (looks like) is working when i test with: >> >> "openssl s_client -connect mail.server.de:25 -starttls smtp -CApath >> /etc/ssl/certs/" >> >> all seems good: >> >> >> CONNECTED(00000003) >> depth=3 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting >> cc/OU=Certification Services Division/CN=Thawte Premium Server >> CA/emailAddress=premium-ser...@thawte.com >> verify return:1 >> depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) >> 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA >> verify return:1 >> depth=1 /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA >> verify return:1 >> depth=0 /OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte >> SSL123 certificate/OU=Domain Validated/CN=mail.server.de >> verify return:1 >> --- >> Certificate chain >> 0 s:/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte >> SSL123 certificate/OU=Domain Validated/CN=mail.server.de >> i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA >> 1 s:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA >> i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) >> 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA >> 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) >> 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA >> i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting >> cc/OU=Certification Services Division/CN=Thawte Premium Server >> CA/emailAddress=premium-ser...@thawte.com >> --- >> Server certificate >> -----BEGIN CERTIFICATE----- >> MIIE5jCadasdasdasdasdasdMznodCWLpZ5lv3M2VDANBgkqhkiG9w0BAQUFADBe >> MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE >> b21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3RlIERWIFNTTCBDQTAe >> Fw0xMzA1MjgwMDAwMDBaFw0xNDA3MjcyMzU5NTlaMIGWMTswOQYDVQQLEzJHbyB0 >> byBodHRwczovL3d3dy50aGF3dGUuY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDEi >> MCAGA1UECxMZVGhhd3RlIFNTTDEyMyBjZXJ0aWZpY2F0ZTEZMBcGA1UECxMQRG9t >> YWluIFZhbGlkYXRlZDEYMBYGA1UEAxQPbWFpbC56YmZtYWlsLmRlMIIBIjANBgkq >> hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqTtGkmDGk7CMP527MbAxIaJ5a81bvU6b >> L4My5CjyLqEN8t17yfoUeIuBm14aZjF7aYcS+8Pp8f45RxA0nHLWojXGFUReN5Sl >> pMCpMBbDkzYhUCBGovks6MyK4+KPOtBTSzGf1i9oOCNJuHBe/6MnWTSBpJZhHJCM >> NOgkJskXHVrFBCLPd+UvdIOgv70Re5KdPb50RpxTC1JuNlvAFpn3FGCYlH5mY5CI >> FQmzxf4IsLZgzbl9Arz5ApHmC6QIWXbtt6TyFwf2F/Mt7gZG8pgof1W9Qo1bp6wl >> bFYroUXadasdasdasdsadyxcyxcsadsafrewtrezfgsfdgvcsdfsfwIDAQABo4IB >> ZTCCAWEwGgYDVR0RBBMwEYIPbWFpbC56YmZtYWlsLmRlMAkGA1UdEwQCMAAwOgYD >> VR0fBDMwMTAvoC2gK4YpaHR0cDovL3N2ci1kdi1jcmwudGhhd3RlLmNvbS9UaGF3 >> dGVEVi5jcmwwQQYDVR0gBDowODA2BgpghkgBhvhFAQc2MCgwJgYIKwYBBQUHAgEW >> Gmh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMB8GA1UdIwQYMBaAFKtE5F3sg8fZ >> wIWf9+HGl5CwjD+YMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD >> AQYIKwYBBQUHAwIwaQYIKwYBBQUHAQEEXTBbMCIGCCsGAQUFBzABhhZodHRwOi8v >> b2NzcC50aGF3dGUuY29tMDUGCCsGAQUFBzAChilodHRwOi8vc3ZyLWR2LWFpYS50 >> aGF3dGUuY29tL1RoYXd0ZURWLmNlcjANBgkqhkiG9w0BAQUFAAOCAQEACdX/tcpl >> uisdgfhsdufzgggGGKJGGFHGSDfglSDHFGLGDFLHGDFJLSDHGFSHGDFgjhsdgfQY >> CBSFfOH6xbt3mI6Z5oLuQ/CDQOeIU080TEaFtPlWto4Dd2CJSYVLCXSIpKoXcqF0 >> Gx0B8m8Eu0lbUQd2jrfgO1OVGbtuUfhIgLKzj/me5HhLpKHR/30yNCB9iolkAZdG >> bxyU9qmNj7mfdNlv/kEUPAWThJ8LKLZTe224hIqIvBAU+BW7yAhvOT3a118IfxZN >> Cx3rOi6aegX3QBr6WwkSwi+lVTS8nfuisatsdahhhgjtrgseaiiflsdbgsildfgf >> dZyViByHDJ5pNQ== >> -----END CERTIFICATE----- >> subject=/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte >> SSL123 certificate/OU=Domain Validated/CN=mail.server.de >> issuer=/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 4480 bytes and written 372 bytes >> --- >> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA >> Server public key is 2048 bit >> Secure Renegotiation IS supported >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1 >> Cipher : DHE-RSA-AES256-SHA >> Session-ID: >> 8AA57C73BE5A80A0A73D5624917123275510537E95CB42AA7FFC2C5B9AD2AFBA >> Session-ID-ctx: >> Master-Key: >> 07D9F2D739636D787CA14589CC92DB3A2A78DC00F8A31EAC55CA3A35B798 >> 5F74A47BD74AA90A3FEAD09A0E7FD45D597D >> >> Key-Arg : None >> Start Time: 1391003136 >> Timeout : 300 (sec) >> Verify return code: 0 (ok) >> --- >> 250 8BITMIME >> >> so can i ignore that both must be in PEM? >> >> if not, what are the steps to do it right ? >> >> >> marko >> > > The file extension doesn't signify the file format. I'd surmise that yours > actually are in PEM format, hence why it works. > > -- > bsdbox.co >
