Re: Issues with tls_append_default_CA and *_tls_CApath

2012-02-19 Thread Artemy Tregubenko
On Sun, 19 Feb 2012 19:35:56 +0100, Wietse Venema wrote: Artemy Tregubenko: > Instead of enumerating things Postfix that does not do, it would > be more helpful to say how to achieve a concrete result: > >To use ONLY system-supplied default certificate authority >certificates

Re: Issues with tls_append_default_CA and *_tls_CApath

2012-02-19 Thread Wietse Venema
Artemy Tregubenko: > > Instead of enumerating things Postfix that does not do, it would > > be more helpful to say how to achieve a concrete result: > > > > To use ONLY system-supplied default certificate authority > > certificates, specify those with *_tls_CApath or > > *_t

Re: Issues with tls_append_default_CA and *_tls_CApath

2012-02-19 Thread Artemy Tregubenko
On Sun, 19 Feb 2012 18:18:12 +0100, Wietse Venema wrote: Artemy Tregubenko: On Sun, 19 Feb 2012 17:10:50 +0100, Wietse Venema wrote: > As per the documentation, Postfix APPENDS to certificates in *CApath > or *CAfile. If you don't specify certificates in *CApath and *CAfile, > then Postfix

Re: Issues with tls_append_default_CA and *_tls_CApath

2012-02-19 Thread Wietse Venema
Artemy Tregubenko: > On Sun, 19 Feb 2012 17:10:50 +0100, Wietse Venema > wrote: > > > As per the documentation, Postfix APPENDS to certificates in *CApath > > or *CAfile. If you don't specify certificates in *CApath and *CAfile, > > then Postfix won't append to them. > > Could you add to docum

Re: Issues with tls_append_default_CA and *_tls_CApath

2012-02-19 Thread Artemy Tregubenko
On Sun, 19 Feb 2012 17:10:50 +0100, Wietse Venema wrote: As per the documentation, Postfix APPENDS to certificates in *CApath or *CAfile. If you don't specify certificates in *CApath and *CAfile, then Postfix won't append to them. Could you add to documentation this sentence "If you don't s

Re: Issues with tls_append_default_CA and *_tls_CApath

2012-02-19 Thread Wietse Venema
Artemy Tregubenko: > Is tls_append_default_CA expected to work when none of *CApath and *CAfile > are set? As per the documentation, Postfix APPENDS to certificates in *CApath or *CAfile. If you don't specify certificates in *CApath and *CAfile, then Postfix won't append to them. Wietse

Re: Issues with tls_append_default_CA and *_tls_CApath

2012-02-19 Thread Artemy Tregubenko
On Sun, 19 Feb 2012 16:00:43 +0100, Wietse Venema wrote: To investigate, you can strace the SMTP daemon (see DEBUG_README.html) and see what system calls fail. That will also show whether you correctly followed instructions to turn of the chroot feature. Thanks to strace I figured out that

Re: Issues with tls_append_default_CA and *_tls_CApath

2012-02-19 Thread Artemy Tregubenko
On Sun, 19 Feb 2012 16:00:43 +0100, Wietse Venema wrote: Therefore, the Equifax certificate wasn't found with 'smtp_tls_CApath = /etc/ssl/certs'. For CApath to work, you need to run a program that sets up the necessary symlinks (named after a certificate hash) that allow the OpenSSL library t

Re: Issues with tls_append_default_CA and *_tls_CApath

2012-02-19 Thread Wietse Venema
Artemy Tregubenko: [ Charset UTF-8 unsupported, converting... ] > Hello, > > I have an Ubuntu server with Postfix 2.8.2 on it. Looks like > tls_append_default_CA has no effect on it. > > When I send emails to Gmail I get message about failed certificate > verification. There're many articles

Re: Issues with tls_append_default_CA and *_tls_CApath

2012-02-19 Thread Artemy Tregubenko
On Sun, 19 Feb 2012 15:05:58 +0100, Wietse Venema wrote: Artemy Tregubenko: Hello, I have an Ubuntu server with Postfix 2.8.2 on it. Looks like tls_append_default_CA has no effect on it. See if this fixes the problem: http://www.postfix.org/DEBUG_README.html#no_chroot Then, complain

Re: Issues with tls_append_default_CA and *_tls_CApath

2012-02-19 Thread Wietse Venema
Artemy Tregubenko: > Hello, > > I have an Ubuntu server with Postfix 2.8.2 on it. Looks like > tls_append_default_CA has no effect on it. See if this fixes the problem: http://www.postfix.org/DEBUG_README.html#no_chroot Then, complain to the DEBIAN maintainer for shipping as broken Postfi