I noticed that some SMTP apps, namely
Esumosoft's POP Peeper v5.6.3 (the latest version),
Nextcloud's Mail v5.6.7 (latest WebUI, based on Horde),
cannot communicate with my OpenSMTPD v7.6 via TLS:
Failed to Process TLS Socket - certificate failed.
Unable to get local issuer certificate.
smtp disconnected reason="io-error: handshake failed
- error:0A000418:SSL routines::tlsv1 alert unknown ca".
Why is CA unknown when it is valid and declared as CA cert in smtpd.conf?
pki "mx" key "/path/to/mx.key"
pki "mx" cert "/path/to/mx.cert"
ca "ca" cert "/path/to/ca.cert"
SMTP servers and many mail programs (Thunderbird, Outlook, Pegasus,
Scribe, Vivaldi, even pocket-size nPOP) all connect to OpenSMTPD
securely and transfer email flawlessly.
For testing I merged all certificates into a single file.pem, at the top
of which I also inserted mx.key — voila, that was enough, now those few
apps are working smoothly, too.
I am writing just to ask what the proper order is, which variant is
correct and standard-complied: mx-domain.cert, fullchain.cert, or
fullchain+key.pem. Where to find a normative source on this matter?
--
Vladas aka Uolys
https://vladas.palubinskas.lt/
