John Peacock said the following on 01/25/2006 02:10 AM: > Robin Bowes wrote: > >>>So, I tried testing with openssl: >>> >>># openssl s_client -starttls smtp -crlf -connect localhost:25 >>>CONNECTED(00000003) >>>21435:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown >>>protocol:s23_clnt.c:494: >>> >>>So, something's broken, but I don't know what. > > > This is starting to ring some bells. I don't know if you _can_ test this with > openssl, since the server certificate will be signed by an unknown CA that the > openssl client doesn't recognize. swaks doesn't care about that, and most > MUA's > will popup a requester offering to trust the unknown cert chain.
Ah, OK. > >>I've just seen this in the qpsmtpd log: >> >>CA file certs/my-ca.pem not found, using CA path instead. >> >>Is this relevant? > > > How, exactly, did you set up your certificates? The branches/0.3x tls plugin > does not use the certs/* path at all, and the gensslcert script creates the > files in exactly the default location and filename for plugins/tls. I used the script in the plugins dir as follows: # cd /var/qpsmtpd/0.3x # plugins/tls_cert \ --C GB \ --ST 'North Yorkshire' \ --L 'Tollerton, York' \ --O robinbowes.com \ --OU batmobile \ --CN smtp.robinbowes.com \ --email postmaster <at> robinbowes <dot> com This writes qpsmtpd-ca.crt, qpsmtpd-ca.key, qpsmtpd-server.crt, qpsmtpd-server.csr, & qpsmtpd-server.key to /var/qpsmtpd/0.3x/ssl These are all chown qpsmtpd:qpsmtpd and chmod 400. I then enabled tls by simply putting "tls" in config/plugins > > If you used gensslcert, then you only need 'tls' in the config file. If you > did > anything else, you need to specify the full path and filename to the cert/key. gensslcert? Do you mean tls_cert? R.
