Ok, so I found the right certificate, but when I run a test with msmtp -a default [email protected] just hangs. Tried it with all three SSL ports (465, 587, 25) with the same result....what happens now? I can't troubleshoot without error messages...
Thanks for everyone's assistance so far. On Sun, May 13, 2012 at 10:00 PM, Ram <[email protected]> wrote: > > From: Scott Sjodin <[email protected]> > > Message-ID: > > < > caafaoiwep9zh3mceggtnq0kom4fzaa+yaj7qrkjgkycuolm...@mail.gmail.com> > > > So I've got my msmtp setup (almost). It's running. I can telnet in to > > smtp.mydomain.com 587 and 25 and send over the creds (but not with 465) > > successfully. I can run openssl, with 465 I get the following: > > > > > > openssl s_client -CApath > > /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer -connect > > smtp.mydomain.com:465 > > > > Verify return code: 20 (unable to get local issuer certificate) > > > > When testing msmtp -a default [email protected] I get the following > > results (with port numbers corresponding to changes in the msmtprc file) > > > > > > When I change up the port number to 587: > > > > msmtp: TLS certificate verification failed: the certificate is not > trusted > > When I change up the port number to 25: > > msmtp: TLS certificate verification failed: the certificate is not > trusted > > When I change up the port number to 465: > > msmtp: network read error: Connection reset by peer. > > > > My msmtprc file is listed below: > > > > defaults > > tls on > > tls_starttls on > > tls_trust_file /etc/ssl/certs/Equifax_Secure_Certificate_Authority.cer > > > > #this was downloaded direct from GeoTrust's website - > > #http://www.geotrust.com/resources/root-certificates/index.html > > I suspect the server does not have it's certificate installed properly > - specifically the intermediate or chain certificate is probably not > installed/configured. Ideally this would be fixed on the server side > but you can work around it by adding the correct chain certificate(s) > to the client trusted certificate list. > > As a test try going to that same port and dump the certificates it > offers up like so: > # openssl s_client -connect example.com.:443 > > You should see a section in the output like so: > --- > Certificate chain > 0 s:/serialNumber=1234/C=US/O=example.com/OU=NoAuthFromUs/OU=See > someurl/cps (c)11/OU=Domain Control Validated - > RapidSSL(R)/CN=example.com > i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA > 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA > i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority > > > You should see three entries (0, 1, 2) though the names will be > different than above. If you only see two then the the chain > certificate is missing from the server. > > cheers >
