On Tue, Aug 12, 2014 at 11:49:05PM -0400, Alex wrote:
> I've enabled debug for my test host, and after restart postfix, I've tested
> it with the following openssl command:
>
> # openssl s_client -connect mail.example.com:465
You've not specified a CAfile or CApath. See s_client(1).
> It connects, displays the certificate, but it also says
>
> depth=0 OU = Domain Control Validated, CN = mail.example.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
>
> Is this something wrong with how I have the certificate set up?
Not necessarily, but a common error is to only configure the leaf
certificate and not append the required intermediate certificates
to the server's chain file.
> I think the problem I'm still having is that I thought I would also test
> with Thunderbird, and it doesn't work. When I test with port 587 it works
> okay, however, port 465 produces the following:
Thunderbird generally employs "STARTTLS" not wrapper-mode. However,
the certificate chain is the same, so it suffices to test port 587
with Thunderbird, and just test that 465 responds via s_client.
> submission on 587 works with the same key/cert pair, so I can't figure out
> what's wrong, and whether it's a Thunderbird problem or a postfix problem.
Neither. Nothing is wrong.
--
Viktor.
