On Wed, Jul 08, 2020 at 09:03:52AM +0200, Rainer Ruprechtsberger wrote:
> this is not my only problem with TLS verification - and I'm struggling
> to debug this:
>
> *mail.mail.protection.outlook.com cannot be verified by postfix:
> posttls-finger: certificate verification failed for
> blahblahommited.mail.protection.outlook.com[104.47.14.36]:25: untrusted
> issuer /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
>
> But I do trust this CA:
> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
The posttls-finger(1) utility does not use the "smtp_tls_CAfile"
parameter, which is specific to the smtp(8) delivery agent. Its
CAfile has to be set explicitly via the "-F" command-line option.
> Which I did verify by:
> openssl s_client -CAfile
> /var/spool/postfix/etc/ssl/certs/ca-certificates.crt -connect
> blahblahommited.mail.protection.outlook.com:25 --starttls smtp
/var/spool/postfix/etc/ssl/certs/ca-certificates.crt !=
/etc/ssl/certs/ca-certificates.crt
Why are you running s_client with that particular choice of filename?
Along with any private keys, DH parameters, ... the CAfile is loaded by
Postfix *before* it drops privileges and enters the chroot jail.
--
Viktor.
