Robin Bowes wrote: >> So, I tried testing with openssl: >> >> # openssl s_client -starttls smtp -crlf -connect localhost:25 >> CONNECTED(00000003) >> 21435:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown >> protocol:s23_clnt.c:494: >> >> So, something's broken, but I don't know what.
This is starting to ring some bells. I don't know if you _can_ test this with openssl, since the server certificate will be signed by an unknown CA that the openssl client doesn't recognize. swaks doesn't care about that, and most MUA's will popup a requester offering to trust the unknown cert chain. > > I've just seen this in the qpsmtpd log: > > CA file certs/my-ca.pem not found, using CA path instead. > > Is this relevant? How, exactly, did you set up your certificates? The branches/0.3x tls plugin does not use the certs/* path at all, and the gensslcert script creates the files in exactly the default location and filename for plugins/tls. If you used gensslcert, then you only need 'tls' in the config file. If you did anything else, you need to specify the full path and filename to the cert/key. John
