On Sat, Aug 20, 2011 at 09:22:12AM -0400, Sahil Tandon wrote:
> On Sat, 2011-08-20 at 09:19:54 +0000, Georg Sauthoff wrote:
> > I upgraded my Ubuntu box from 10.04 to 11.10, i.e. postfix was
> > upgraded from 2.7.0 to 2.8.0.
> > The local postfix is setup to relay mail to a remote server, including
> > mandatory TLS and certificate verification. The setup worked great
> > with 2.7.0, but after the upgrade I get following errors:
> > certificate verification failed for example.org untrusted issuer
> > /C=DE/ST=NW/O=My CA/CN=Me/email=mys...@example.org [..]
> > status=deferred (Server certificate not trusted)
> > (I did not change the postfix config during the postfix upgrade)
> > The directory /etc/postfix contains the certificate from the relay
Btw, this should read: /etc/postfix/certs.
> > host (and c_rehash was executed).
> > Was the verification algorithm somehow changed between postfix 2.7.0
> > and 2.8.0?
> Without more information, my WAG is that this could be related to
> Incompat 20100610 noted in the RELEASE_NOTES for 2.8.
Thanks for the guess.
Meanswhile I did some investigation and it looks like a bug in the
Ubuntu/Debian /etc/init.d/postfix script.
Under Ubuntu postfix runs by default inside a chroot, thus the script copies
some files to /var/spool/postfix.
It also checks for $(postconf -f smtp_tls_CApath) - which is an improvement to
previous versions of the script IIRC.
But the script copies the certificates to a wrong location - in my case to:
/var/spool/postfix/etc/postfix/certs/etc/postfix/certs/
Correct location would be:
/var/spool/postfix/etc/postfix/certs/
After moving the certificates to the right location, everything works as
expected.
I can reproduce this issue executing:
# /etc/init.d/postfix restart
(which again creates the wrong directory structure)
Best regards
Georg
--
Real programmers don't comment their code. It was hard to write, it
should be hard to understand.
