On 08.07.20 14:34, Viktor Dukhovni wrote: > > /var/spool/postfix/etc/ssl/certs/ca-certificates.crt != > /etc/ssl/certs/ca-certificates.crt > > Why are you running s_client with that particular choice of filename? > Along with any private keys, DH parameters, ... the CAfile is loaded by > Postfix *before* it drops privileges and enters the chroot jail. >
Because smtp has 'y' in 'chroot' in master.cf - therefore I assumed that it looks in its chroot for the CA file. Anyway - I did verify it gets copied correctly at postfix startup. One of the pitfalls I did think of.. ;) Still not sure what actually happened.. but since -F was explained to me there is no longer any difference between posttls-finger and s_client (both verify). So now I do need to look where on earth the can't verify came from since it looks like I can't reproduce it (which I thought I did when I posted on the list). /r
