On Tue, Jun 09, 2015 at 05:49:53PM -0700, PGNd wrote:
> > This means that the server's certificate is not issued by a CA trusted
> > by the client
>
> In configs
>
> CLIENT/master.cf
> ...
> relay-remote unix - - n - - smtp
> ...
> -o smtp_tls_cert_file=/etc/ssl/mail/relay-remote.crt
> -o smtp_tls_key_file=/etc/ssl/mail/relay-remote.key
This sets the client's certificate chain file, not its list of
trusted CAs. For the latter you need "smtp_tls_CApath" or
"smtp_tls_CAfile" (when the list of trusted CAs is short).
> Forcing the CA crt identity
>
> CLIENT/master.cf
> ...
> relay-remote unix - - n - - smtp
> ...
> + -o smtp_tls_CAfile=/etc/ssl/mail/DDDD_CA.crt
> -o smtp_tls_cert_file=/etc/ssl/mail/relay-remote.crt
> -o smtp_tls_key_file=/etc/ssl/mail/relay-remote.key
> + -o tls_append_default_CA=no
> ...
> ...
>
> does it. Now on send, at remote log
>
> Jun 9 17:37:19 remote016 postfix/relay-remote/smtp[23270]: Trusted
> TLS connection established to
> internal.local010.DDDD.com[10.128.1.10]:11587: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> the Trust @ client of the server is established.
But you're still not authenticating the server. For that you'll need:
smtp_tls_security_level=secure
so that the client verifies the server hostname also and refuses to
proceed when authentication fails.
> Either my chained certs are not correctly constructed, or my client-side
> Postfix isn't correctly configured to find / use the chain path.
No, you're just expecting the chain file to be a trust store, but
that's not what it is for.
--
Viktor.
