Re: TLS verification problem - ca untrusted, but it shouldn't be

2020-07-08 Thread Rainer Ruprechtsberger
On 08.07.20 14:34, Viktor Dukhovni wrote: > > /var/spool/postfix/etc/ssl/certs/ca-certificates.crt != > /etc/ssl/certs/ca-certificates.crt > > Why are you running s_client with that particular choice of filename? > Along with any private keys, DH parameters, ... the CAfile is loaded by >

Re: TLS verification problem - ca untrusted, but it shouldn't be

2020-07-08 Thread Viktor Dukhovni
On Wed, Jul 08, 2020 at 09:03:52AM +0200, Rainer Ruprechtsberger wrote: > this is not my only problem with TLS verification - and I'm struggling > to debug this: > > *mail.mail.protection.outlook.com cannot be verified by postfix: > posttls-finger: certificate verification failed for > blahblahom

Re: TLS verification problem - ca untrusted, but it shouldn't be

2020-07-08 Thread Rainer Ruprechtsberger
On 08.07.20 13:12, Christian Kivalo wrote: [...] > How did you call posttls-finger? Did you use "-F" and point it to > /etc/ssl/certs/ca-certificates.crt? > >> But I do trust this CA: >> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt > This setting does not affect posttls-finger Thanks - I

Re: TLS verification problem - ca untrusted, but it shouldn't be

2020-07-08 Thread Christian Kivalo
On 2020-07-08 09:03, Rainer Ruprechtsberger wrote: Hello, this is not my only problem with TLS verification - and I'm struggling to debug this: *mail.mail.protection.outlook.com cannot be verified by postfix: posttls-finger: certificate verification failed for blahblahommited.mail.protection.ou

Re: TLS verification problem - ca untrusted, but it shouldn't be

2020-07-08 Thread Rainer Ruprechtsberger
Hi, > cat server.cer intermediate.cer > server_chain.cer > > After that in the main.cf you use the server_chain.cer as > smtpd_tls_cert_file. > my problem is the other direction - I want to verify a remote SMTP server. Postfix is a smtp client in this instance.. TLS verification is required for

Re: TLS verification problem - ca untrusted, but it shouldn't be

2020-07-08 Thread Enrico Morelli
On Wed, 8 Jul 2020 09:03:52 +0200 Rainer Ruprechtsberger wrote: > Hello, > > this is not my only problem with TLS verification - and I'm struggling > to debug this: > > *mail.mail.protection.outlook.com cannot be verified by postfix: > posttls-finger: certificate verification failed for > blahb

TLS verification problem - ca untrusted, but it shouldn't be

2020-07-08 Thread Rainer Ruprechtsberger
Hello, this is not my only problem with TLS verification - and I'm struggling to debug this: *mail.mail.protection.outlook.com cannot be verified by postfix: posttls-finger: certificate verification failed for blahblahommited.mail.protection.outlook.com[104.47.14.36]:25: untrusted issuer /C=BE/O=