Viktor Dukhovni wrote the following on 21.10.2013 17:21: > On Mon, Oct 21, 2013 at 10:07:13AM -0500, Noel Jones wrote: >> Looks as if they use a private root CA. Probably the easiest fix is >> to use "fingerprint" verification. See: >> http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps > > No, that would be a trust error not a signature error.
I've already got one fingerprint and one verify policy in place on the system in question, and I hadn't run across this error in my trial and error effort involved in getting those working. Yes, they do use a private root CA, but the MX hosts present the connecting client with the entire certificate chain, so that is not the problem. Maybe fingerprinting would work, though. I'll give it a shot on a test system. Thanks for the suggestion. Cheers, Tobias