> Sent: Wednesday, September 29, 2021 at 10:45 AM > From: "raf" <post...@raf.org> > To: postfix-users@postfix.org > Subject: Re: Client certification verifications fails with not designated for > use as a CA certificate > > On Wed, Sep 29, 2021 at 02:25:16PM +0200, Bugz Bunny <bugzbu...@gmx.com> > wrote: > > > Hello list, > > > > For the past 6 hours, I have not made any iota of progress towards > > getting this to work. The certificate chain is Root CA > Intermediate > > CA > Client and Server cert. The openssl x509 -text outputs for the > > CA's are included in E-Mail attachments. > > > > postconf -n > > postconf: warning: /etc/postfix/master.cf: undefined parameter: > > submission_sender_restrictions > > You should define submission_sender_restrictions or > remove the reference to it from master.cf.
Will do! > > alias_database = hash:/etc/aliases > > alias_maps = hash:/etc/aliases > > command_directory = /usr/sbin > > daemon_directory = /usr/libexec/postfix > > data_directory = /var/lib/postfix > > debug_peer_level = 2 > > debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd > > $daemon_directory/$process_name $process_id & sleep 5 > > header_checks = regexp:/etc/postfix/header_checks > > html_directory = no > > inet_protocols = all > > mailq_path = /usr/bin/mailq.postfix > > manpage_directory = /usr/share/man > > milter_default_action = accept > > mydestination = > > mynetworks = 52.14.9.241/32 107.173.129.223/32 127.0.0.1/32 > > newaliases_path = /usr/bin/newaliases.postfix > > readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES > > Postfix 2.10 reached end of life over five years ago. > Upgrading would be a great idea if at all possible. Actually, this is postfix-3.5.8-1.el8.x86_64. > > relay_domains = lhprojects.net, lhpmail.us > > relay_transport = smtp:smtp.lhpmail.us:587 > > The above should probably be smtp:[smtp.lhpmail.us]:587 > to suppress an unnecessary MX lookup for smtp.lhpmail.us. I thought this was already fixed. > > sample_directory = /usr/share/doc/postfix-2.10.1/samples > > sender_canonical_maps = hash:/etc/postfix/sender_canonical_maps > > sendmail_path = /usr/sbin/sendmail.postfix > > setgid_group = postdrop > > smtp_destination_concurrency_limit = 2 > > smtp_destination_rate_delay = 5s > > smtp_extra_recipient_limit = 10 > > smtp_use_tls = yes > > smtpd_banner = $myhostname - Connected to LHProjects Information Network > > E-Mail Server > > smtpd_milters = inet:127.0.0.1:11332 > > smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces > > reject_unauth_destination > > smtpd_tls_cert_file = /etc/ssl/postfix/mx.cert.pem > > smtpd_tls_key_file = /etc/ssl/postfix/mx.key.pem > > smtpd_tls_loglevel = 2 > > unknown_local_recipient_reject_code = 550 > > You are setting smtpd_tls_cert_file and smtpd_tls_key_file > but you are not setting "smtpd_tls_security_level = may" > (or "smtpd_use_tls = yes"), so they won't be used for > STARTTLS on port 25. Will do! > You probably want to add "smtpd_tls_security_level = may". > That's the modern equivalent of "smtpd_use_tls = yes". > That will make it possible for incoming email on port 25 > to be encrypted, not just outgoing mail (which is made > possible by "smtp_use_tls = yes" or > "smtp_tls_security_level = may"). I appreciate the pointers, thanks. Regards.
