On Wed, Jan 19, 2022 at 05:07:38PM -0500, Wayne Spivak wrote: > That was the solution for TLS failing when I start postfix: > > perl -lne print file1 file2 file3
And now your server has the intermediate issuer in its chain, and verification works: posttls-finger: mcq.sbanetweb.com[96.224.250.24]:25: matched peername: mcq.sbanetweb.com posttls-finger: mcq.sbanetweb.com[96.224.250.24]:25: subject_CN=mcq.sbanetweb.com, issuer_CN=Entrust Certification Authority - L1K, fingerprint=1E:69:25:44:74:52:B4:C5:AA:C4:9F:7C:E8:F7:0B:96:A7:35:A9:F6:60:1F:D4:07:30:CD:B3:6B:99:69:88:EC, pkey_fingerprint=89:F7:3F:9B:2F:6F:F1:51:7B:4E:4C:CD:D5:5D:CB:C7:CE:CA:75:C9:CF:D8:73:EB:08:D2:71:1A:48:8E:FC:CD posttls-finger: Verified TLS connection established to mcq.sbanetweb.com[96.224.250.24]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 > [root@mcq postfix]# posttls-finger -cC -lsecure '[mcq.sbanetweb.com]' This does not use any trust-anchor certs, so verification is sure to fail when the intermediate issuer can't be verified. This is expected and normal. You'd need to specify a CAfile ("-F CAfile" option), but that's not necessary, it works. > posttls-finger: warning: DNSSEC validation may be unavailable > posttls-finger: warning: reason: dnssec_probe 'ns:.' received a response that > is not DNSSEC validated Your resolver is not a validating resolver. This is harmless if you're not using DANE. > posttls-finger: certificate verification failed for > mcq.sbanetweb.com[96.224.250.24]:25: untrusted issuer /C=US/O=Entrust, > Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for > authorized use only/CN=Entrust Root Certification Authority - G2 As expected. You're all set. > I'm also getting an error on submission in the log, Error is no such > file/directory. Start a new thread and post all relevant logs and configuration details. -- Viktor.