Re: [PLUG] postfix smtp certificate verification failed

Tue, 19 May 2015 12:34:30 -0700 

On Mon, 18 May 2015, Galen Seitz wrote:


On 05/18/15 20:22, Galen Seitz wrote:



I've just configured my postfix 2.6.6-6 mailserver to use a 
relayhost with tls, and I'm seeing warnings when I send mail. 
Here's an example:


May 18 19:41:21 lion postfix/smtp[3625]: certificate verification failed
for mailout.example.com[x.x.x.x]:587: untrusted issuer
/C=US/O=Equifax/OU=Equifax Secure Certificate Authority


It appears the correct solution is to specify smtp_tls_CAfile in 
main.cf.  That's easy enough to do, but I'm not sure which file to 
use. This is a CentOS 6.6 system.  If I do a locate on .crt, here's 
what I get:


[... lots of filenames deleted ...]

So many to choose from!  Which should I use?



I decided to go with /etc/pki/tls/certs/ca-bundle.crt.  I think this 
is the correct one, but this stuff seems to be a bit of a mess.


<https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/>



If an application is linked against OpenSSL, the easiest way to 
identify the default certificate store is


  openssl version -d

E.g,

  [~]$ lsb_release -d
  Description:  CentOS release 6.6 (Final)
  [~]$ openssl version -d
  OPENSSLDIR: "/etc/pki/tls"


Given that directory, ${OPENSSLDIR}/cert.pem is the default CA 
database.



If a trusted certificate isn't found in the cert.pem file, OpenSSL 
will check ${OPENSSLDIR}/certs/* for a trusted CA.



OpenSSL will hash the remote certificate and check for a filename 
based on that hash. For instance, to get the hash of my web site's 
certificate, do


  echo |\
  openssl s_client -connect www.madboa.com:443 2>&1 |\
  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
  openssl x509 -noout -hash

It will return the value 3628258a; if openssl finds

  ${OPENSSLDIR}/certs/3628258a.0


and the certificate therein was used to sign (or is the same as) the 
remote certificate, then the remote certificate is trusted.



(As for the ".0" portion of the 3628258a.0 filename, I've always 
guessed that's an iterator since it's possible for multiple 
certificates to generate the same hash value.)



Red Hat includes a utility, cacertdir_rehash, that will automatically 
scan a directory of certificates and create the necessary <hash>.N 
symlinks.



Also -- and this is a big note -- applications can be compiled and/or 
configured to search places other than the system OpenSSL's default 
OPENSSLDIR for its certificate store. OpenLDAP is a prime example. In 
those cases, you'll have to resort to strace and/or strings.


--
Paul Heinlein
[email protected]
45°38' N, 122°6' W
_______________________________________________
PLUG mailing list
[email protected]
http://lists.pdxlinux.org/mailman/listinfo/plug






















					Reply via email to