> Michael Peter: >> This makes me more confused.. >> Please advise your opinion.. > Please post your configration as requested in the welcome message. > wietse
I have posted my configuration as per your request.. and i summarize my questions again as follow I have configured postfix to check CAfile which contains only Godaddy root certificate as follow for outgoing emails. smtp_tls_CAfile = /etc/certs/go-daddy-root-ca.crt my surprise that still postfix trust the server certificates when email is sent to Yahoo or Gmail.. (although they are using different provider for SSL certificate than goaddy) although the CAfile contains only the godaddy root certificate. I am confused how postix could verify Yahoo and Gmail certificates although only godaddy root certificate existed in the CA file???? So i have removed smtp_tls_CAfile which contained only godaady root certificate from main.cf, now postfix is not trusting Yahoo or Gmail when sending emails to them. This makes me more confused.. My configuration when smtp_tls_CAfile is configured to only to godaddy-root certificate is as follow alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = localhost, $myhostname inet_protocols = all mail_owner = postfix mailbox_delivery_lock = fcntl mailbox_size_limit = 150000000 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 25000000 mydestination = $myhostname, localhost.$mydomain, localhost myhostname = hidden-for-security.COM mynetworks = 127.0.0.1, 127.0.0.0/8 newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_CAfile = /etc/ssl/certs/godaddy-root.crt smtp_tls_loglevel = 2 smtp_tls_security_level = may smtpd_discard_ehlo_keywords = silent-discard, dsn smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/blocksender check_recipient_access hash:/etc/postfix/blockr reject_sender_login_mismatch permit_sasl_authenticated check_sender_access hash:/etc/postfix/blockforged reject_unauth_destination reject_invalid_helo_hostname reject_rbl_client zen.spamhaus.org smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_login_maps = hash:/etc/postfix/saslcheck smtpd_tls_cert_file = /etc/postfix/postfix.pem smtpd_tls_key_file = /etc/postfix/postfixkey.pem smtpd_tls_loglevel = 1 smtpd_tls_security_level = may unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual virtual_mailbox_lock = fcntl with the above configuration and although smtp_tls_CAfile is configured only to use godady root certificate, but still postfix when sending emails to yahoo and gmail, the postfix log confirms that the certificate is trusted...... this is weird because postfix should only trust godaddy certificates and not any other certificates issued by different than Godaddy based on my configuration Now i have removed smtp_tls_CA from the configuration.. now postfix is not trusting gmail and yahoo certificates when sending email to them... i am confused because the in the previous configuration smtp_tls_CAfile was pointing only to godaddy root certificate... please find my revised configuration as follow alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = localhost, $myhostname inet_protocols = all mail_owner = postfix mailbox_delivery_lock = fcntl mailbox_size_limit = 150000000 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 25000000 mydestination = $myhostname, localhost.$mydomain, localhost myhostname = hidden-for-security.COM mynetworks = 127.0.0.1, 127.0.0.0/8 newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_loglevel = 1 smtp_tls_security_level = may smtpd_discard_ehlo_keywords = silent-discard, dsn smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/blocksender check_recipient_access hash:/etc/postfix/blockr reject_sender_login_mismatch permit_sasl_authenticated check_sender_access hash:/etc/postfix/blockforged reject_unauth_destination reject_invalid_helo_hostname reject_rbl_client zen.spamhaus.org smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_login_maps = hash:/etc/postfix/saslcheck smtpd_tls_cert_file = /etc/postfix/postfix.pem smtpd_tls_key_file = /etc/postfix/postfixkey.pem smtpd_tls_loglevel = 1 smtpd_tls_security_level = may unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual virtual_mailbox_lock = fcntl Sorry for my long email, i just wanted to give you a full picture of the issue for your advise.. Many Thanks Michael Peter
