On Wed, 8 Jul 2020 09:03:52 +0200 Rainer Ruprechtsberger <ruprechtsber...@volkshilfe-ooe.at> wrote:
> Hello, > > this is not my only problem with TLS verification - and I'm struggling > to debug this: > > *mail.mail.protection.outlook.com cannot be verified by postfix: > posttls-finger: certificate verification failed for > blahblahommited.mail.protection.outlook.com[104.47.14.36]:25: > untrusted issuer /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign > Root CA > > But I do trust this CA: > smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt > > Which I did verify by: > openssl s_client -CAfile > /var/spool/postfix/etc/ssl/certs/ca-certificates.crt -connect > blahblahommited.mail.protection.outlook.com:25 --starttls smtp > > That gave: > ... > SSL handshake has read 3975 bytes and written 543 bytes > Verification: OK > ... > SSL-Session: > ... > Verify return code: 0 (ok) > > There is an intermediate CA involved: > issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization > Validation CA > - SHA256 - G3 > > But this Certificate is signed by above mentioned CA (which > posttls-finger says it doesn't trust). > > My system is a Debian Buster, postfix version 3.4.10-0+deb10u1. > > Any pointers to resolve this would be appreciated. > > lg, > I'd the same problem, I solved creating a certificate chain with the server certificate and the CA intermediate certificate with: cat server.cer intermediate.cer > server_chain.cer After that in the main.cf you use the server_chain.cer as smtpd_tls_cert_file. -- ----------------------------------------------------------- Enrico Morelli System Administrator | Programmer | Web Developer CERM - Polo Scientifico via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY ------------------------------------------------------------
