On Wed, Aug 13, 2014 at 02:09:41PM -0400, Alex wrote:
> > > # openssl s_client -connect mail.example.com:465
> >
> > You've not specified a CAfile or CApath. See s_client(1).
>
> Ah, I see. I thought supplying this on the server side in main.cf was the
> proper way. I've supplied it on the openssl command-line and it works as
> expected.
The s_client command is the verifier, checking the validity of the
server certificate chain. Clearly the server's trust chain settings
must have no effect on whom the verifier trusts.
> > Not necessarily, but a common error is to only configure the leaf
> > certificate and not append the required intermediate certificates
> > to the server's chain file.
>
> The CAfile contains two certs, supplied by GoDaddy. I'm pretty sure that
> would be both of them.
The server certificate (chain) file must be constructed as documented in
TLS_README.
http://www.postfix.org/TLS_README.html#server_cert_key
Under the sub-heading of "Creating the server certificate file".
You should generally store the private key in a separate file and
make sure that file is not world-readable.
If the private key and certificates are in the same file now, don't
clobber/lose the key while building the new chain file.
> > Thunderbird generally employs "STARTTLS" not wrapper-mode. However,
> > the certificate chain is the same, so it suffices to test port 587
> > with Thunderbird, and just test that 465 responds via s_client.
>
> So this basically means Thunderbird is broken on port 465, because even if
> I wanted to use it, it appears I couldn't.
No. It means you're confused, and disabusing you of all the
confusion at once is not a pre-requisite to moving forward.
[ It is likely possible to configure Thunderbird to use SSL wrapper
mode on 465, but this is not necessary. ]
--
Viktor.
