On Tue, Nov 17, 2015 at 10:58:13PM -0500, Bill Cole wrote:
> >[root@knox certs]# postconf -n | grep tls
> >smtp_tls_CAfile = /etc/ssl/certs/startssl-ca-bundle.pem
> >smtp_tls_CApath = /etc/ssl/certs/
>
> That's likely to be wrong. smtp_tls_CApath needs to be more than just a
> directory where there are some CA certs.
On many a Debian system, /etc/ssl/certs is automatically c_rehash'ed
by the Debian package that manages trusted CAs. So it could well
be right. Of course chroot voids the warranty.
> >smtp_tls_loglevel = 1
>
> Switch that to 2 to see the details of the verification failure. Don't leave
> it at 2 for normal use.
No need. That'll just make things more confusing. With "may" the
peer is *never* "Trusted".
> One thing to try to find whether the problem is due to your system's
> default CA configuration:
There is no problem.
--
Viktor.
