[PLUG] postfix smtp certificate verification failed

Galen Seitz galens at seitzassoc.com
Tue May 19 04:36:00 UTC 2015


On 05/18/15 20:22, Galen Seitz wrote:
> 
> I've just configured my postfix 2.6.6-6 mailserver to use a relayhost
> with tls, and I'm seeing warnings when I send mail.  Here's an example:
> 
> May 18 19:41:21 lion postfix/smtp[3625]: certificate verification failed
> for mailout.example.com[x.x.x.x]:587: untrusted issuer
> /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> 
> It appears the correct solution is to specify smtp_tls_CAfile in
> main.cf.  That's easy enough to do, but I'm not sure which file to use.
>  This is a CentOS 6.6 system.  If I do a locate on .crt, here's what I get:
> 
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
> /etc/pki/ca-trust/source/ca-bundle.legacy.crt
> /etc/pki/tls/certs/ca-bundle.crt
> /etc/pki/tls/certs/ca-bundle.trust.crt
> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
> /usr/share/pki/ca-trust-source/ca-bundle.neutral-trust.crt
> /usr/share/pki/ca-trust-source/ca-bundle.trust.crt
> 
> So many to choose from!  Which should I use?

I decided to go with /etc/pki/tls/certs/ca-bundle.crt.  I think this is
the correct one, but this stuff seems to be a bit of a mess.

<https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/>


galen
-- 
Galen Seitz
galens at seitzassoc.com



More information about the PLUG mailing list