On Tue, May 13, 2014 at 02:11:34PM +0200, li...@rhsoft.net wrote:
> > And like I said.. it looks well from the openssl command and from
> > Chromium if I use the certificate inside an Apache2.. but postfix is
> > complaining and it is not telling me anything special what the issue is.
>
> the CA of the certificate used on "my.mailserver.de" is
> not in smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
Not true. That's why I posted my openssl check command (see the CAfile
I'm using there):
$ openssl s_client -showcerts -CAfile
/var/spool/postfix/etc/ssl/certs/ca-certificates.crt -starttls smtp
-connect my.mailserver.de:25
So I'm using exactly the same file postfix should use (its the same like
outside the chroot.. so it would be the same if I would use
/etc/ssl/certs/ca-certificates.crt instead.. I checked that as well).
>
> "from Chromium if I use the certificate inside an Apache2" is a different
> story, Chromium has the CA *and* the trust-chain in his CA list,
> /etc/ssl/certs/ca-certificates.crt is missing one of them
>
> and BTW it's completly pointless in doubt
>
> if i hijack your DNS server, manage to get a certificate from
> whatever trusted CA for "my.mailserver.de" you would see no
> difference - it would still be trusted in case of a known CA
>
> it's even recommended *not* to use smtp_tls_CAfile and stay
> with *any* delivery as "Untrusted" because there is no way
> of *real* trust without DNSSEC/DANE
I will keep this in mind. Nevertheless I really would like to know what
is wrong. Even if I will disable it later on it should work...
Cheers
Simon
