On 2024/3/23 20:04, Wietse Venema via Postfix-users wrote:
Cowbay via Postfix-users:
So, I will collect necessary information next time I encounter this
issue as what Viktor suggested.
Please note that Postfix does not automatically use the "system"
root CA store that openssl s_client and curl may use. That could
result in verification differences between Postfix and other tools.
https://www.postfix.org/postconf.5.html#tls_append_default_CA
tls_append_default_CA (default: no)
Append the system-supplied default Certification Authority
certificates to the ones specified with *_tls_CApath or
*_tls_CAfile. The default is "no"; this prevents Postfix from
trusting third-party certificates and giving them relay permission
with permit_tls_all_clientcerts.
Wietse
Thanks to this reminder and I will take care of this.
As my situation, I didn't explicitly assign this
"tls_append_default_CA", so it should be default to "no".
And I specified "-o smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt"
to "smtp.gmail" from the master.cf, specified "-CAfile
/etc/ssl/certs/ca-certificates.crt" to "openssl s_client", and specify
"--cacert /etc/ssl/certs/ca-certificates.crt" to "curl". I wish these
would make sure Postfix, openssl and curl use the same CAfile to verify
the certificate.
Cowbay
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
