On Wed, Aug 19, 2020 at 10:52:20AM +0300, Thorsten Habich wrote:
> > > the certificate verification with TA file option still occasionally fails:
> > How is the use of a TA file relevant here?
>
> It only happens with the domains configured with TA file option.
Do *resumed* sessions always fail to validate? Or is that intermittent?
When resumption fails, was the preceding non-resumed session successful?
Have you considered as a differential diagnostic procedure setting up a separate
transport for the problem domain, and using the trust-anchors in question as
the CAfile for the transport instead of a per-destination policy "tafile"?
Are the trust-anchors self-signed CA certs, or are they "intermediate" certs
signed by some other CA? If intermediate, it takes a bit more effort to
turn them into a usable CAfile, because they'd need to be encapsulated
as "TRUSTED CERTIFICATE" PEM objects, with a trust EKU of "serverAuth".
I can post an example of how to do that if necessary.
Also, can you test the Postfix 3.6-20200725 snapshot? In Postfix 3.6
the "tafile" code is based on the DANE support in OpenSSL 1.1.1, rather
than the older DANE certificate validation code in Postfix itself.
--
Viktor.
