I am working on setting up PostFix to banish another MTA so I have setup two virtual machines with one being a mail gateway and the other a null client using internal IPs for initial testing. I have an RSA wildcard certificate from GoDaddy that I am struggling to get PostFix to use. I can point the null client at a non-PostFix system with the same certificate and the logs shows that all is well with the certificate on that server so I think the null client setup is correct. But when I point the Postfix null client at my test PostFix mail gateway I see "Untrusted TLS connection established to..." on the null client and "Anonymous TLS connection established from..." on the gateway. The documentation it recommends an OpenSSL test, but I am not sure if I have the syntax 100% correct since there was no example in the documentation. I have searched the list trying to see if there was a known issue with GoDaddy without finding anything specific to PostFix or wildcard certificates (GoDaddy would not be my choice in a registrar).
Any suggestions on next steps to sort this out? OpenSSL Test Mentioned in Documentation openssl verify -CAfile gd_bundle-g2-g1.pem -purpose sslserver wild.pem wild.pem: OK Tests 1. I started with setting the typical settings after I ran an OpenSSL command to remove the password from the private key. smtpd_tls_key_file = /etc/pki/tls/private/wild.key smtpd_tls_cert_file = /etc/pki/tls/certs/wild.pem 2. I tried concatenating the wildcard certificate followed by the GoDaddy gd_bundle-g2-g1.pem. 3. I noticed there were "Bag Attributes" at the top of my wildcard certificate. I removed these without any change. 4. I removed the "Bag Attributes" at the top of my wildcard cert that was merged with the GoDaddy bundle. 5. While I did not want to do it, I tried putting the key at the top of the certificate, followed by the wildcard certificate. (.key screams be careful.....pem not so much) 6. I tried the key, wildcard cert and GoDaddy bundle concatenated into a file. 7. I imported the certificate on a Windows PC to verify the certificate was seen as a valid by Windows just in case something might have happened to it. I exported the .PFX version with OpenSSL into new certificate/key files and repeated the above tests. 8. I also tried setting smtpd_tls_CApath = /etc/pki/tls/certs, which is where the GoDaddy bundle is located along with the various wildcard certs I have created. 9. Initially using PostFix 2.10.1 since that is the version with the current distribution we use. I setup a third virtual machine with the next Linux release which gave me PostFix 3.5.8 with the same issue. One nice thing about the newer 3.5.8 version is the Linux distribution provided a self-signed keypair for testing. OpenSSL Test to verify key [root@earth private]# openssl rsa -check -noout -in wild.key RSA key ok OpenSSL Test to verify certificate [root@earth certs]# openssl verify -CAfile gd_bundle-g2-g1.crt wild.pem wild.pem: OK
