I've noticed the following in my logs: Feb 9 04:10:01 endymion postfix/smtp[21298]: certificate verification failed for gmail-smtp-in.l.google.com: num=20:unable to get local issuer certificate Feb 9 04:10:01 endymion postfix/smtp[21298]: certificate verification failed for gmail-smtp-in.l.google.com: num=27:certificate not trusted
I've searched the list and I see that the answer is usually that the root certificate is not in the CAfile. I used openssl to pull down the gmail cert and traced its provenance. Unlike previous threads, the root certificate was in fact in my ca-bundle.crt, but the intermediate certificate of course was not. So I have several questions:
1) Is this a misconfiguration on gmail's part? Should they be including the intermediate cert along with the host cert during SSL negotiation? (just to help me understand my own configuration)
2) Is my best option to include the intermediate cert in my ca-bundle.crt? And/or can I list more than one bundle so I don't have to hack the bundle that yum is maintaining?
3) Or should I just disable TLS for SMTP? -Norton
