[PLUG] postfix smtp certificate verification failed

Tue May 19 18:49:34 UTC 2015

On Mon, 18 May 2015, Galen Seitz wrote:

> On 05/18/15 20:22, Galen Seitz wrote:
>>
>> I've just configured my postfix 2.6.6-6 mailserver to use a 
>> relayhost with tls, and I'm seeing warnings when I send mail. 
>> Here's an example:
>>
>> May 18 19:41:21 lion postfix/smtp[3625]: certificate verification failed
>> for mailout.example.com[x.x.x.x]:587: untrusted issuer
>> /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>>
>> It appears the correct solution is to specify smtp_tls_CAfile in 
>> main.cf.  That's easy enough to do, but I'm not sure which file to 
>> use. This is a CentOS 6.6 system.  If I do a locate on .crt, here's 
>> what I get:
>>
>> [... lots of filenames deleted ...]
>>
>> So many to choose from!  Which should I use?
>
> I decided to go with /etc/pki/tls/certs/ca-bundle.crt.  I think this 
> is the correct one, but this stuff seems to be a bit of a mess.
>
> <https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/>

If an application is linked against OpenSSL, the easiest way to 
identify the default certificate store is

   openssl version -d

E.g,

   [~]$ lsb_release -d
   Description:	CentOS release 6.6 (Final)
   [~]$ openssl version -d
   OPENSSLDIR: "/etc/pki/tls"

Given that directory, ${OPENSSLDIR}/cert.pem is the default CA 
database.

If a trusted certificate isn't found in the cert.pem file, OpenSSL 
will check ${OPENSSLDIR}/certs/* for a trusted CA.

OpenSSL will hash the remote certificate and check for a filename 
based on that hash. For instance, to get the hash of my web site's 
certificate, do

   echo |\
   openssl s_client -connect www.madboa.com:443 2>&1 |\
   sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
   openssl x509 -noout -hash

It will return the value 3628258a; if openssl finds

   ${OPENSSLDIR}/certs/3628258a.0

and the certificate therein was used to sign (or is the same as) the 
remote certificate, then the remote certificate is trusted.

(As for the ".0" portion of the 3628258a.0 filename, I've always 
guessed that's an iterator since it's possible for multiple 
certificates to generate the same hash value.)

Red Hat includes a utility, cacertdir_rehash, that will automatically 
scan a directory of certificates and create the necessary <hash>.N 
symlinks.

Also -- and this is a big note -- applications can be compiled and/or 
configured to search places other than the system OpenSSL's default 
OPENSSLDIR for its certificate store. OpenLDAP is a prime example. In 
those cases, you'll have to resort to strace and/or strings.

-- 
Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W