On 05/18/15 20:22, Galen Seitz wrote: > > I've just configured my postfix 2.6.6-6 mailserver to use a relayhost > with tls, and I'm seeing warnings when I send mail. Here's an example: > > May 18 19:41:21 lion postfix/smtp[3625]: certificate verification failed > for mailout.example.com[x.x.x.x]:587: untrusted issuer > /C=US/O=Equifax/OU=Equifax Secure Certificate Authority > > It appears the correct solution is to specify smtp_tls_CAfile in > main.cf. That's easy enough to do, but I'm not sure which file to use. > This is a CentOS 6.6 system. If I do a locate on .crt, here's what I get: > > /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt > /etc/pki/ca-trust/source/ca-bundle.legacy.crt > /etc/pki/tls/certs/ca-bundle.crt > /etc/pki/tls/certs/ca-bundle.trust.crt > /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt > /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt > /usr/share/pki/ca-trust-source/ca-bundle.neutral-trust.crt > /usr/share/pki/ca-trust-source/ca-bundle.trust.crt > > So many to choose from! Which should I use?
I decided to go with /etc/pki/tls/certs/ca-bundle.crt. I think this is the correct one, but this stuff seems to be a bit of a mess. <https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/> galen -- Galen Seitz [email protected] _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
