On Tue, Feb 03, 2015 at 10:07:11AM +0100, Tobias Reckhard wrote:
> postfix/smtp[4535]: mx16a.antispameurope.com[94.100.134.100]:25:
> certificate verification depth=2 verify=1 subject=/C=DE/O=Deutsche
> Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
The constructed chain includes a "Telekom Root CA 2".
> postfix/smtp[4535]: mx16a.antispameurope.com[94.100.134.100]:25:
> certificate verification depth=1 verify=0 subject=/C=DE/O=T-Systems
> International GmbH/OU=T-Systems Trust Center/ST=Nordrhein
> Westfalen/postalCode=57250/L=Netphen/streetAddress=Untere Industriestr.
> 20/CN=TeleSec ServerPass DE-2
>
> postfix/smtp[4535]: CA certificate verification failed for
> mx16a.antispameurope.com[94.100.134.100]:25: num=7:certificate signature
> failure
This signature of this intermediate certificate fails verification
via the public key of root from the log entry above. Most likely
because the intermediate certificate has an RSA with SHA2-256 signature:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 14365921339544682215 (0xc75e01582ac3bee7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center,
CN=Deutsche Telekom Root CA 2
Validity
Not Before: Feb 11 14:30:17 2014 GMT
Not After : Jul 9 23:59:00 2019 GMT
Subject: C=DE, O=T-Systems International GmbH, OU=T-Systems Trust
Center, ST=Nordrhein Westfalen/postalCode=57250, L=Netphen/street=Untere
Industriestr. 20, CN=TeleSec ServerPass DE-2
...
If your Postfix is old enough, and is linked against OpenSSL 0.9.8,
it only supports md5 and sha1.
--
Viktor.
