On Thu, Jan 21, 2021 at 11:19:13PM +0100, Pau Peris wrote:
> Does someone know how I can make postfix show the absolute path for the
> TLS certificate used?
There is no such feature. But if you're not using SNI, the certificate
chain is the same for all clients, and you can just connect to your
server and see the dates on the returned chain with:
$ posttls-finger -lsecure -cC "[smtp.server.example]" |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -print_certs -text -noout |
egrep -A4 'Issuer:'
If you are using SNI, you can repeat the above for each supported
SNI name:
$ posttls-finger -s "smtp.server2.example" ...
Or, if you know which SNI name this particular client was likely
using, just use the same one.
> Postfix config file seems fine but obviously there's some kind of
> mistake on my side, so I would like to make the following error more
> verbose or be able to find the certificate in use.
>
> postfix/smtpd[3733]: warning: TLS library problem: error:14094415:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate
> expired:../ssl/record/rec_layer_s3.c:1544:SSL alert number 45:
It is also possible that the expired certificate is on the client
side in its own trust store.
--
Viktor.
