On Thu, Feb 06, 2014 at 05:37:16PM +0000, Alan Munday wrote:
> My certificate creation process also followed the old way of doing
> things. I've updated this to also follow the HowTo. In doing so I
> needed to edit two values in the openssl.cnf namely:
>
> [ CA_default ]
> unique_subject = no
>
> [ usr_cert ]
> basicConstraints=CA:TRUE
>
> I did try CA:FALSE but this was causing outlook.com mail to fail
> (and, as Viktor stated, mail from other domains as well).
Usually, the CA certificate is created using a different extension
section (not "usr_cert"). You then have "CA:FALSE" in "usr_cert",
and "CA:TRUE" in the CA extension section.
> Just from a technical perspective I'd to understand and resolve
> what?s going on. Though I can see it might just be easier to turn
> TLS off.
You now have working TLS on mx1, so that's fine. As for mx3 its
problem is not TLS. Almost certainly any large packets sent by
mx3 will run into the same MTU issue. For example, it likely can't
send bounces... Try to send a large message from mx3 to the outside
world. If that works, but sending a TLS certificate to the client
does not, I'll be surprised (a less obvious explanation will be
required for the reported symptoms, perhaps hardware problems with
the NIC that corrupt some data and not other data, ...).
--
Viktor.
