hyndavirap...@bel.co.example:
> 1. error log before adding "smtp_tls_CAfile" param is as follows
>
I replaced the top-level domain name for privacy reasons.
> postfix/smtp[3525]: certificate verification failed for
> 201.123.80.173[201.123.80.173]:25: untrusted issuer
> /C=EXAMPLE/ST=karnataka/L=bangalore/O=bel/OU=crl/CN=MilitaryMessagingCA/emailAddress=ca_ad...@bel.co.example
The certificate could not be verified because an issuer in the
trust chain was not known.
> postfix/smtp[3525]: 804E8232A0: to=<cdr....@ahq.tcs.mil.example>,
> relay=201.123.80.173[201.123.80.173]:25, delay=10, delays=0.13/0.01/10/0,
> dsn=4.7.5, status=deferred (Server certificate not trusted)
You require certificate verification, and thus mail is dederred.
> 2. Error log after adding following param
>
> smtp_tls_CAfile = /root/hyndavi/CA_cert.pem
>
> postfix/smtp[6891]: 17A3F232B1: to=<cdr....@ahq.tcs.mil.example>,
> relay=201.123.80.173[201.123.80.173]:25, delay=337, delays=327/0.02/10/0,
> dsn=4.7.5, status=deferred (Server certificate not verified)
Now it knows the issuer, but the name in the certificate does not
match what Postfix expected. The default is to match the next-hop
domain but you can change that per-destination in smtp_tls_policy_maps
with the "match=" attribute, or globally with smtp_tls_secure_cert_match.
Wietse
