> On Fri, Sep 25, 2015 at 06:16:10PM +0300, Michael Peter wrote: > >> I have configured postfix to check CAfile which contains only Godaddy >> root >> certificate as follow for outgoing emails. >> >> smtp_tls_CAfile = /etc/certs/go-daddy-root-ca.crt > > Which certificates are in that file? Report the output of: > > openssl crl2pkcs7 -nocrl -certfile /etc/certs/go-daddy-root-ca.crt | > openssl pkcs7 -print_certs -noout
subject=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 > >> my surprise that still postfix trust the server certificates when email >> is >> sent to Yahoo or Gmail.. > > Post the relevant logs. Do you use the same transport for Google > and Yahoo as for mail to GoDaddy? If not, are there are any > master.cf overrides for the transports in question. all emails use the same default transport.. my transport file is empty.. so all use same transport incase smtp_tls_CAfile not exist in main.cf: (ca file has goddady root certificate only) postfix/smtp[30874]: certificate verification failed for mta6.am0.yahoodns.net[98.138.112.32]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority incase smtp_tls_CAfile exist in main.cf:(ca file has goddady root certificate only) postfix/smtp[30107]: Trusted TLS connection established to mta5.am0.yahoodns.net[66.196.118.37]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) > >> So i have removed smtp_tls_CAfile which contained only godaady root >> certificate from main.cf, now postfix is not trusting Yahoo or Gmail >> when >> sending emails to them. > posted above > Also post logs for this outcome. > >> smtp_tls_CAfile = /etc/ssl/certs/godaddy-root.crt >> smtp_tls_loglevel = 2 > > Too verbose, 1 is enough. confirmed. > > What version of Postfix are you using? postfix/master[7500]: reload -- version 2.6.6, configuration /etc/postfix > > -- > Viktor. >
