Hi, > > I've enabled debug for my test host, and after restart postfix, I've tested > > it with the following openssl command: > > > > # openssl s_client -connect mail.example.com:465 > > You've not specified a CAfile or CApath. See s_client(1).
Ah, I see. I thought supplying this on the server side in main.cf was the proper way. I've supplied it on the openssl command-line and it works as expected. > > It connects, displays the certificate, but it also says > > > > depth=0 OU = Domain Control Validated, CN = mail.example.com > > verify error:num=21:unable to verify the first certificate > > verify return:1 > > > > Is this something wrong with how I have the certificate set up? > > Not necessarily, but a common error is to only configure the leaf > certificate and not append the required intermediate certificates > to the server's chain file. The CAfile contains two certs, supplied by GoDaddy. I'm pretty sure that would be both of them. > > I think the problem I'm still having is that I thought I would also test > > with Thunderbird, and it doesn't work. When I test with port 587 it works > > okay, however, port 465 produces the following: > > Thunderbird generally employs "STARTTLS" not wrapper-mode. However, > the certificate chain is the same, so it suffices to test port 587 > with Thunderbird, and just test that 465 responds via s_client. So this basically means Thunderbird is broken on port 465, because even if I wanted to use it, it appears I couldn't. > > submission on 587 works with the same key/cert pair, so I can't figure out > > what's wrong, and whether it's a Thunderbird problem or a postfix problem. > > Neither. Nothing is wrong. Awesome. Thanks so much. I love learning more about how all this works. Thanks, Alex
