postfix-users May 2014 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: TLS issues (postfix says: UNTRUSTED but it is

Re: TLS issues (postfix says: UNTRUSTED but it is not)

From: Simon Effenberg <savar_at_nospam>
Date: Tue May 13 2014 - 12:27:08 GMT
To: "lists@rhsoft.net" <lists@rhsoft.net>

On Tue, May 13, 2014 at 02:11:34PM +0200, lists@rhsoft.net wrote:
> > And like I said.. it looks well from the openssl command and from
> > Chromium if I use the certificate inside an Apache2.. but postfix is
> > complaining and it is not telling me anything special what the issue is.
>
> the CA of the certificate used on "my.mailserver.de" is
> not in smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Not true. That's why I posted my openssl check command (see the CAfile
I'm using there):

$ openssl s_client -showcerts -CAfile
   /var/spool/postfix/etc/ssl/certs/ca-certificates.crt -starttls smtp
      -connect my.mailserver.de:25

So I'm using exactly the same file postfix should use (its the same like
outside the chroot.. so it would be the same if I would use
/etc/ssl/certs/ca-certificates.crt instead.. I checked that as well).

>
> "from Chromium if I use the certificate inside an Apache2" is a different
> story, Chromium has the CA *and* the trust-chain in his CA list,
> /etc/ssl/certs/ca-certificates.crt is missing one of them
>
> and BTW it's completly pointless in doubt
>
> if i hijack your DNS server, manage to get a certificate from
> whatever trusted CA for "my.mailserver.de" you would see no
> difference - it would still be trusted in case of a known CA
>
> it's even recommended *not* to use smtp_tls_CAfile and stay
> with *any* delivery as "Untrusted" because there is no way
> of *real* trust without DNSSEC/DANE

I will keep this in mind. Nevertheless I really would like to know what
is wrong. Even if I will disable it later on it should work...

Cheers
Simon