Hello In configuring a postfix 2.7.0 (on Ubuntu 10.04 LTS) for mandatory TLS to a couple of domains, I'm running into the following oddity when sending e-mail to the UniCredit servers:
Oct 21 08:43:58 <hostname> postfix/smtp[5991]: CA certificate verification failed for mx10.unicredit.eu[62.122.80.93]:25: num=7:certificate signature failure This appears to be an OpenSSL error, at least I can find a similar error message on https://www.openssl.org/docs/apps/verify.html. However, I do not know what the actual problem is. The certificates presented by the MX hosts of unicreditgroup.eu (that answer) are somewhat problematic in that they are all completely identical and feature a CN of mucimgcc.internal.unicreditgroup.eu and no SubjectAltNames, which does not resemble the MX records. However, I'm not sure if that is the cause of the verification failure. If I store mx10's certificate to a file and the intermediary as well as the root CA certificate to /etc/postfix/cacerts (and create the necessary symlinks there with c_rehash), I can successfully use "openssl verify -CApath /etc/postfix/cacerts mx10.unicredit.eu.cert.pem" to verify it (result: mx10.unicredit.eu.cert.pem: OK) Can anyone offer any insights on this topic? I'm a bit puzzled. Regards, Tobias
