On Sat, Oct 05, 2019 at 11:51:24AM +0200, Gerben Wierda wrote:
> [...], my log says:
>
> Oct 05 11:35:21 mail postfix/smtpd[2218]: cannot load Certification
> Authority data,
> CAfile="/etc/certificates/www.rna.nl.F1BCD75E0F6DD3B3B0145CB328699BDEEF21FA5C.chain.pem":
> disabling TLS support
Are you sure this is a CAfile (containing certificates of root CAs,
a.k.a. trust anchors)? Based on the name, I would have guessed
this to be a certificate chain file for the server's own certificate,
possibly also including the server's private key?
Please post the output of (and/or errors reported by):
#
chain=/etc/certificates/www.rna.nl.F1BCD75E0F6DD3B3B0145CB328699BDEEF21FA5C.chain.pem
# egrep '^----- ' "$chain"
# openssl crl2pkcs7 -nocrl -certfile "$chain" |
openssl pkcs7 -print_certs -noout -text |
egrep '(Certificate|Subject|Issuer):'
this should show the types of PEM objects stored in that file, without
disclosing any sensitive content.
> Does chrooting smtpd require a local copy of certificates inside the chroot
> jail?
No. The SMTP server loads its CAfile before entering the chroot
jail (while still running as root). There must be something wrong
with that file, but you've elided the logging of the error:
if (CAfile || CApath) {
if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
msg_info("cannot load Certification Authority data, "
CA_PATH_FMT CA_PATH_FMT ": disabling TLS support",
CA_PATH_ARGS(CAfile, CApath),
CA_PATH_ARGS(CApath, 0));
tls_print_errors();
return (-1);
}
...
}
The tls_print_errors() function logs the actual reason as reported
by the OpenSSL library.
--
Viktor.
