Loading ...
Sorry, an error occurred while loading the content.

error using certificate server

Expand Messages
  • deconya@...
    Hi list At now Im configuring the TLS function in my postfix 2.5.5 and Im having a new problem. First was that said untrusted issuer because not detect the
    Message 1 of 10 , Feb 8, 2013
    • 0 Attachment

      Hi list

      At now Im configuring the TLS function in my postfix 2.5.5 and Im having a new problem.

      First was that said untrusted issuer because not detect the certificates. At now the message every time you sends is

      status=deferred (Server certificate not verified)

      I was configuring using a howto that says to do

      ---------------------
      mkdir /var/spool/postfix/certs
      cp -R /etc/ssl/certs/* /var/spool/postfix/certs
      mkdir -p /var/spool/postfix/usr/share/ca-certificates
      cp -R /usr/share/ca-certificates /var/spool/postfix/usr/share/ca-certificates

      Then, in main.cf, change the smtp_tls_security_level line and add an smtp_tls_CApath line as follows:

      smtp_tls_security_level=verify
      smtp_tls_CApath=/certs

      -----------------

      And now the postconf for help:

      default_transport = smtp
      lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
      non_smtpd_milters =
      parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
      proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
      proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
      relayhost = smtp.puc.mysmarthost.es
      smtp_always_send_ehlo = yes
      smtp_bind_address =
      smtp_bind_address6 =
      smtp_body_checks =
      smtp_cname_overrides_servername = no
      smtp_connect_timeout = 30s
      smtp_connection_cache_destinations =
      smtp_connection_cache_on_demand = yes
      smtp_connection_cache_time_limit = 2s
      smtp_connection_reuse_time_limit = 300s
      smtp_data_done_timeout = 600s
      smtp_data_init_timeout = 120s
      smtp_data_xfer_timeout = 180s
      smtp_defer_if_no_mx_address_found = no
      smtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
      smtp_destination_concurrency_limit = $default_destination_concurrency_limit
      smtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
      smtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
      smtp_destination_rate_delay = $default_destination_rate_delay
      smtp_destination_recipient_limit = $default_destination_recipient_limit
      smtp_discard_ehlo_keyword_address_maps =
      smtp_discard_ehlo_keywords =
      smtp_enforce_tls = no
      smtp_fallback_relay = $fallback_relay
      smtp_generic_maps =
      smtp_header_checks =
      smtp_helo_name = $myhostname
      smtp_helo_timeout = 300s
      smtp_host_lookup = dns
      smtp_initial_destination_concurrency = $initial_destination_concurrency
      smtp_line_length_limit = 990
      smtp_mail_timeout = 300s
      smtp_mime_header_checks =
      smtp_mx_address_limit = 5
      smtp_mx_session_limit = 2
      smtp_nested_header_checks =
      smtp_never_send_ehlo = no
      smtp_pix_workaround_delay_time = 10s
      smtp_pix_workaround_maps =
      smtp_pix_workaround_threshold_time = 500s
      smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
      smtp_quit_timeout = 300s
      smtp_quote_rfc821_envelope = yes
      smtp_randomize_addresses = yes
      smtp_rcpt_timeout = 300s
      smtp_rset_timeout = 20s
      smtp_sasl_auth_cache_name =
      smtp_sasl_auth_cache_time = 90d
      smtp_sasl_auth_enable = no
      smtp_sasl_auth_soft_bounce = yes
      smtp_sasl_mechanism_filter =
      smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
      smtp_sasl_path =
      smtp_sasl_security_options = noanonymous
      smtp_sasl_tls_security_options = $smtp_sasl_security_options
      smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
      smtp_sasl_type = cyrus
      smtp_send_xforward_command = no
      smtp_sender_dependent_authentication = no
      smtp_skip_5xx_greeting = yes
      smtp_skip_quit_response = yes
      smtp_starttls_timeout = 300s
      smtp_tls_CAfile =
      smtp_tls_CApath = /certs
      smtp_tls_cert_file =
      smtp_tls_dcert_file =
      smtp_tls_dkey_file = $smtp_tls_dcert_file
      smtp_tls_enforce_peername = yes
      smtp_tls_exclude_ciphers =
      smtp_tls_fingerprint_cert_match =
      smtp_tls_fingerprint_digest = md5
      smtp_tls_key_file = $smtp_tls_cert_file
      smtp_tls_loglevel = 0
      smtp_tls_mandatory_ciphers = medium
      smtp_tls_mandatory_exclude_ciphers =
      smtp_tls_mandatory_protocols = SSLv3, TLSv1
      smtp_tls_note_starttls_offer = yes
      smtp_tls_per_site =
      smtp_tls_policy_maps =
      smtp_tls_scert_verifydepth = 9
      smtp_tls_secure_cert_match = nexthop, dot-nexthop
      smtp_tls_security_level = verify
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      smtp_tls_session_cache_timeout = 3600s
      smtp_tls_verify_cert_match = hostname
      smtp_use_tls = yes
      smtp_xforward_timeout = 300s
      smtpd_authorized_verp_clients = $authorized_verp_clients
      smtpd_authorized_xclient_hosts =
      smtpd_authorized_xforward_hosts =
      smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
      smtpd_client_connection_count_limit = 50
      smtpd_client_connection_rate_limit = 0
      smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
      smtpd_client_message_rate_limit = 0
      smtpd_client_new_tls_session_rate_limit = 0
      smtpd_client_port_logging = no
      smtpd_client_recipient_rate_limit = 0
      smtpd_client_restrictions =
      smtpd_data_restrictions =
      smtpd_delay_open_until_valid_rcpt = yes
      smtpd_delay_reject = yes
      smtpd_discard_ehlo_keyword_address_maps =
      smtpd_discard_ehlo_keywords =
      smtpd_end_of_data_restrictions =
      smtpd_enforce_tls = no
      smtpd_error_sleep_time = 1s
      smtpd_etrn_restrictions =
      smtpd_expansion_filter = \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
      smtpd_forbidden_commands = CONNECT GET POST
      smtpd_hard_error_limit = 20
      smtpd_helo_required = no
      smtpd_helo_restrictions =
      smtpd_history_flush_threshold = 100
      smtpd_junk_command_limit = 100
      smtpd_milters =
      smtpd_noop_commands =
      smtpd_null_access_lookup_key = <>
      smtpd_peername_lookup = yes
      smtpd_policy_service_max_idle = 300s
      smtpd_policy_service_max_ttl = 1000s
      smtpd_policy_service_timeout = 100s
      smtpd_proxy_ehlo = $myhostname
      smtpd_proxy_filter =
      smtpd_proxy_timeout = 100s
      smtpd_recipient_limit = 1000
      smtpd_recipient_overshoot_limit = 1000
      smtpd_recipient_restrictions = permit_sasl_authenticated,    permit_mynetworks    reject_unauth_destination
      smtpd_reject_unlisted_recipient = yes
      smtpd_reject_unlisted_sender = no
      smtpd_restriction_classes =
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_authenticated_header = yes
      smtpd_sasl_exceptions_networks =
      smtpd_sasl_local_domain =
      smtpd_sasl_path = private/auth
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
      smtpd_sasl_type = dovecot
      smtpd_sender_login_maps = ldap:/etc/postfix/ldap_aliases.cf
      smtpd_sender_restrictions =
      smtpd_soft_error_limit = 10
      smtpd_starttls_timeout = 300s
      smtpd_timeout = 300s
      smtpd_tls_CAfile = /etc/ssl/TERENASSL_PATH.pem
      smtpd_tls_CApath =
      smtpd_tls_always_issue_session_ids = yes
      smtpd_tls_ask_ccert = no
      smtpd_tls_auth_only = no
      smtpd_tls_ccert_verifydepth = 9
      smtpd_tls_cert_file = /etc/ssl/myserver.crt
      smtpd_tls_dcert_file =
      smtpd_tls_dh1024_param_file =
      smtpd_tls_dh512_param_file =
      smtpd_tls_dkey_file = $smtpd_tls_dcert_file
      smtpd_tls_exclude_ciphers =
      smtpd_tls_fingerprint_digest = md5
      smtpd_tls_key_file = /etc/ssl/private/jupiter_myserver.pem
      smtpd_tls_loglevel = 2
      smtpd_tls_mandatory_ciphers = medium
      smtpd_tls_mandatory_exclude_ciphers =
      smtpd_tls_mandatory_protocols = SSLv3, TLSv1
      smtpd_tls_received_header = yes
      smtpd_tls_req_ccert = no
      smtpd_tls_security_level =
      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      smtpd_tls_session_cache_timeout = 3600s
      smtpd_tls_wrappermode = no
      smtpd_use_tls = yes


      Please is critical to solve this problem, all messages are being deferred!!!

      THanks

    • Reindl Harald
      ... how often and with hom many subjects yiu will start the thread again? ... so why do you not change it to may instead verify in the first front? ... and
      Message 2 of 10 , Feb 8, 2013
      • 0 Attachment
        Am 08.02.2013 20:07, schrieb deconya@...:
        > At now Im configuring the TLS function in my postfix 2.5.5 and Im having a new problem.
        > First was that said untrusted issuer because not detect the certificates.

        how often and with hom many subjects yiu will
        start the thread again?

        > Please is critical to solve this problem, all messages are being deferred!!!
        > smtp_tls_security_level=verify

        so why do you not change it to "may" instead "verify" in the first front?

        > smtp_tls_CApath=/certs

        and what is there?

        smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

        works fine on redhat systems

        [root@mail:~]$ stat /etc/pki/tls/certs/ca-bundle.crt
        Datei: „/etc/pki/tls/certs/ca-bundle.crt“
        Größe: 711830 Blöcke: 1392 EA Block: 4096 reguläre Datei
        Gerät: 811h/2065d Inode: 82289 Verknüpfungen: 1
        Zugriff: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
        Zugriff : 2013-01-04 19:08:55.000000000 +0100
        Modifiziert: 2013-01-04 19:08:55.000000000 +0100
        Geändert : 2013-01-06 20:21:48.027334833 +0100
        Geburt : -
      • deconya
        Hi Apologies for triplicate the mailing, my mail client blocks and send for and error two times the mail. The third was using webmail. If i use
        Message 3 of 10 , Feb 8, 2013
        • 0 Attachment
          Hi

          Apologies for triplicate the mailing, my mail client blocks and send for and error two times the mail. The third was using webmail.

          If i use smtp_tls_security_level=may the smarthost not will accept mails because needs to use autentication using TLS inside relay_passwd

          In main.cf I not configure smtpd_tls_CAfile, this is default option, I need to change?

          Any idea to correct the problem of verification?

          Thanks

          -----Mensaje original-----
          De: Reindl Harald <h.reindl@...>
          Para: postfix-users@...
          Asunto: Re: error using certificate server
          Fecha: Fri, 08 Feb 2013 20:13:07 +0100

          
          Am 08.02.2013 20:07, schrieb deconya@...:
          
          > At now Im configuring the TLS function in my postfix 2.5.5 and Im having a new problem. > First was that said untrusted issuer because not detect the certificates.
          how often and with hom many subjects yiu will start the thread again?
          > Please is critical to solve this problem, all messages are being deferred!!! > smtp_tls_security_level=verify
          so why do you not change it to "may" instead "verify" in the first front?
          > smtp_tls_CApath=/certs
          and what is there? smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt works fine on redhat systems [root@mail:~]$ stat /etc/pki/tls/certs/ca-bundle.crt Datei: „/etc/pki/tls/certs/ca-bundle.crt“ Größe: 711830 Blöcke: 1392 EA Block: 4096 reguläre Datei Gerät: 811h/2065d Inode: 82289 Verknüpfungen: 1 Zugriff: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Zugriff : 2013-01-04 19:08:55.000000000 +0100 Modifiziert: 2013-01-04 19:08:55.000000000 +0100 Geändert : 2013-01-06 20:21:48.027334833 +0100 Geburt : -
        • Reindl Harald
          ... smtp_tls_CApath=/certs you copied random stuff there and nobody knows your environment i do not know your OS, as said on Fedors/Redhat smtpd_tls_CAfile =
          Message 4 of 10 , Feb 8, 2013
          • 0 Attachment
            Am 08.02.2013 20:22, schrieb deconya:
            > Hi
            >
            > Apologies for triplicate the mailing, my mail client blocks and send for and error two times the mail. The third
            > was using webmail.
            >
            > If i use smtp_tls_security_level=may the smarthost not will accept mails because needs to use autentication using
            > TLS inside relay_passwd
            >
            > In main.cf I not configure smtpd_tls_CAfile, this is default option, I need to change?

            smtp_tls_CApath=/certs
            you copied random stuff there and nobody knows your environment

            i do not know your OS, as said on Fedors/Redhat
            smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
            i have no "smtp_tls_CApath" in use

            however, i posted the wrong one
            smtp_ is relevant for you, not smtpd
            but hoewever,, the bundle is fine for both

            smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
            smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

            > cp -R /etc/ssl/certs/* /var/spool/postfix/certs
            > cp -R /usr/share/ca-certificates /var/spool/postfix/usr/share/ca-certificates
            what is in this folders?
            what is it supposed to do?
            why do you copy stuff around?
            how do you imagine to update this stuff

            > -----Mensaje original-----
            > *De*: Reindl Harald <h.reindl@... <mailto:Reindl%20Harald%20%3ch.reindl@...%3e>>
            > *Para*: postfix-users@... <mailto:postfix-users@...>
            > *Asunto*: Re: error using certificate server
            > *Fecha*: Fri, 08 Feb 2013 20:13:07 +0100
            >
            >
            > Am 08.02.2013 20:07, schrieb deconya@... <mailto:deconya@...>:
            >> At now Im configuring the TLS function in my postfix 2.5.5 and Im having a new problem.
            >> First was that said untrusted issuer because not detect the certificates.
            >
            > how often and with hom many subjects yiu will
            > start the thread again?
            >
            >> Please is critical to solve this problem, all messages are being deferred!!!
            >> smtp_tls_security_level=verify
            >
            > so why do you not change it to "may" instead "verify" in the first front?
            >
            >> smtp_tls_CApath=/certs
            >
            > and what is there?
            >
            > smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
            >
            > works fine on redhat systems
            >
            > [root@mail:~]$ stat /etc/pki/tls/certs/ca-bundle.crt
            > Datei: „/etc/pki/tls/certs/ca-bundle.crt“
            > Größe: 711830 Blöcke: 1392 EA Block: 4096 reguläre Datei
            > Gerät: 811h/2065d Inode: 82289 Verknüpfungen: 1
            > Zugriff: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
            > Zugriff : 2013-01-04 19:08:55.000000000 +0100
            > Modifiziert: 2013-01-04 19:08:55.000000000 +0100
            > Geändert : 2013-01-06 20:21:48.027334833 +0100
            > Geburt : -
            >

            --

            Reindl Harald
            the lounge interactive design GmbH
            A-1060 Vienna, Hofmühlgasse 17
            CTO / CISO / Software-Development
            p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
            icq: 154546673, http://www.thelounge.net/

            http://www.thelounge.net/signature.asc.what.htm
          • deconya
            Hi ... De: Reindl Harald Para: postfix-users@postfix.org Asunto: Re: error using certificate server Fecha: Fri, 08 Feb 2013 20:34:47
            Message 5 of 10 , Feb 8, 2013
            • 0 Attachment
              Hi

              -----Mensaje original-----
              De: Reindl Harald <h.reindl@...>
              Para: postfix-users@...
              Asunto: Re: error using certificate server
              Fecha: Fri, 08 Feb 2013 20:34:47 +0100

              
              Am 08.02.2013 20:22, schrieb deconya:
              
              > Hi > > Apologies for triplicate the mailing, my mail client blocks and send for and error two times the mail. The third > was using webmail. > > If i use smtp_tls_security_level=may the smarthost not will accept mails because needs to use autentication using > TLS inside relay_passwd > > In main.cf I not configure smtpd_tls_CAfile, this is default option, I need to change?
                smtp_tls_CApath=/certs   you copied random stuff there and nobody knows your environment Amb using postfix 2.5.5 inside ubuntu server. I discovered in a howto that to activate certificates this was one parameters to activate in main.cf, because by default postfix not recognice certificates. i do not know your OS, as said on Fedors/Redhat smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt i have no "smtp_tls_CApath" in use I have not defined this parameter in main.cf, is included by default however, i posted the wrong one smtp_ is relevant for you, not smtpd but hoewever,, the bundle is fine for both smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
              > cp -R /etc/ssl/certs/* /var/spool/postfix/certs > cp -R /usr/share/ca-certificates /var/spool/postfix/usr/share/ca-certificates
              what is in this folders? what is it supposed to do? why do you copy stuff around? how do you imagine to update this stuff This was the howto explaining how to move all certificates to postfix folder. And now why can appear the error Server certificated not verified ???? Thanks
              > -----Mensaje original----- > *De*: Reindl Harald <h.reindl@... <mailto:Reindl%20Harald%20%3ch.reindl@...%3e>> > *Para*: postfix-users@... <mailto:postfix-users@...> > *Asunto*: Re: error using certificate server > *Fecha*: Fri, 08 Feb 2013 20:13:07 +0100 > > > Am 08.02.2013 20:07, schrieb deconya@... <mailto:deconya@...>: >> At now Im configuring the TLS function in my postfix 2.5.5 and Im having a new problem. >> First was that said untrusted issuer because not detect the certificates. > > how often and with hom many subjects yiu will > start the thread again? > >> Please is critical to solve this problem, all messages are being deferred!!! >> smtp_tls_security_level=verify > > so why do you not change it to "may" instead "verify" in the first front? > >> smtp_tls_CApath=/certs > > and what is there? > > smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt > > works fine on redhat systems > > [root@mail:~]$ stat /etc/pki/tls/certs/ca-bundle.crt > Datei: „/etc/pki/tls/certs/ca-bundle.crt“ > Größe: 711830 Blöcke: 1392 EA Block: 4096 reguläre Datei > Gerät: 811h/2065d Inode: 82289 Verknüpfungen: 1 > Zugriff: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) > Zugriff : 2013-01-04 19:08:55.000000000 +0100 > Modifiziert: 2013-01-04 19:08:55.000000000 +0100 > Geändert : 2013-01-06 20:21:48.027334833 +0100 > Geburt : - >
            • deconya
              Hi Recovering this thread Im configuring the CA certificates to validate the smarthost used to filter spam. At now the connection works but appears the message
              Message 6 of 10 , Feb 10, 2013
              • 0 Attachment
                Hi

                Recovering this thread Im configuring the CA certificates to validate
                the smarthost used to filter spam. At now the connection works but
                appears the message

                status=deferred (Server certificate not verified)

                I was looking all the information about it in howots, and seems that the
                problem is when my server exchanges credentials with smarthost. It seems
                that not recognizes the CA certificates from destination, and Im with
                two questions

                -What file is looking for smtp_tls_CApath=/certs, all? (Im refering the
                name of file), needs to use a special name? At now for recomedation of
                you and using howto of postfix I change this to

                smtp_tls_CApath = /var/spool/postfix/certs
                smtpd_tls_CApath = /var/spool/postfix/certs

                And now I don't know If I need to do something more to accept connection
                when sends to this smarthost, ideas?

                Best Regards

                El 08/02/13 20:07, deconya@... escribió:
                >
                > Hi list
                >
                > At now Im configuring the TLS function in my postfix 2.5.5 and Im
                > having a new problem.
                >
                > First was that said untrusted issuer because not detect the
                > certificates. At now the message every time you sends is
                >
                > status=deferred (Server certificate not verified)
                >
                > I was configuring using a howto that says to do
                >
                > ---------------------
                > mkdir /var/spool/postfix/certs
                > cp -R /etc/ssl/certs/* /var/spool/postfix/certs
                > mkdir -p /var/spool/postfix/usr/share/ca-certificates
                > cp -R /usr/share/ca-certificates
                > /var/spool/postfix/usr/share/ca-certificates
                >
                > Then, in main.cf, change the smtp_tls_security_level line and add an
                > smtp_tls_CApath line as follows:
                >
                > smtp_tls_security_level=verify
                > smtp_tls_CApath=/certs
                >
                > -----------------
                >
                > And now the postconf for help:
                >
                > default_transport = smtp
                > lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
                > non_smtpd_milters =
                > parent_domain_matches_subdomains =
                > debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
                > proxy_read_maps = $local_recipient_maps $mydestination
                > $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
                > $virtual_mailbox_domains $relay_recipient_maps $relay_domains
                > $canonical_maps $sender_canonical_maps $recipient_canonical_maps
                > $relocated_maps $transport_maps $mynetworks $sender_bcc_maps
                > $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
                > proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
                > relayhost = smtp.puc.mysmarthost.es
                > smtp_always_send_ehlo = yes
                > smtp_bind_address =
                > smtp_bind_address6 =
                > smtp_body_checks =
                > smtp_cname_overrides_servername = no
                > smtp_connect_timeout = 30s
                > smtp_connection_cache_destinations =
                > smtp_connection_cache_on_demand = yes
                > smtp_connection_cache_time_limit = 2s
                > smtp_connection_reuse_time_limit = 300s
                > smtp_data_done_timeout = 600s
                > smtp_data_init_timeout = 120s
                > smtp_data_xfer_timeout = 180s
                > smtp_defer_if_no_mx_address_found = no
                > smtp_destination_concurrency_failed_cohort_limit =
                > $default_destination_concurrency_failed_cohort_limit
                > smtp_destination_concurrency_limit =
                > $default_destination_concurrency_limit
                > smtp_destination_concurrency_negative_feedback =
                > $default_destination_concurrency_negative_feedback
                > smtp_destination_concurrency_positive_feedback =
                > $default_destination_concurrency_positive_feedback
                > smtp_destination_rate_delay = $default_destination_rate_delay
                > smtp_destination_recipient_limit = $default_destination_recipient_limit
                > smtp_discard_ehlo_keyword_address_maps =
                > smtp_discard_ehlo_keywords =
                > smtp_enforce_tls = no
                > smtp_fallback_relay = $fallback_relay
                > smtp_generic_maps =
                > smtp_header_checks =
                > smtp_helo_name = $myhostname
                > smtp_helo_timeout = 300s
                > smtp_host_lookup = dns
                > smtp_initial_destination_concurrency = $initial_destination_concurrency
                > smtp_line_length_limit = 990
                > smtp_mail_timeout = 300s
                > smtp_mime_header_checks =
                > smtp_mx_address_limit = 5
                > smtp_mx_session_limit = 2
                > smtp_nested_header_checks =
                > smtp_never_send_ehlo = no
                > smtp_pix_workaround_delay_time = 10s
                > smtp_pix_workaround_maps =
                > smtp_pix_workaround_threshold_time = 500s
                > smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
                > smtp_quit_timeout = 300s
                > smtp_quote_rfc821_envelope = yes
                > smtp_randomize_addresses = yes
                > smtp_rcpt_timeout = 300s
                > smtp_rset_timeout = 20s
                > smtp_sasl_auth_cache_name =
                > smtp_sasl_auth_cache_time = 90d
                > smtp_sasl_auth_enable = no
                > smtp_sasl_auth_soft_bounce = yes
                > smtp_sasl_mechanism_filter =
                > smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
                > smtp_sasl_path =
                > smtp_sasl_security_options = noanonymous
                > smtp_sasl_tls_security_options = $smtp_sasl_security_options
                > smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
                > smtp_sasl_type = cyrus
                > smtp_send_xforward_command = no
                > smtp_sender_dependent_authentication = no
                > smtp_skip_5xx_greeting = yes
                > smtp_skip_quit_response = yes
                > smtp_starttls_timeout = 300s
                > smtp_tls_CAfile =
                > smtp_tls_CApath = /certs
                > smtp_tls_cert_file =
                > smtp_tls_dcert_file =
                > smtp_tls_dkey_file = $smtp_tls_dcert_file
                > smtp_tls_enforce_peername = yes
                > smtp_tls_exclude_ciphers =
                > smtp_tls_fingerprint_cert_match =
                > smtp_tls_fingerprint_digest = md5
                > smtp_tls_key_file = $smtp_tls_cert_file
                > smtp_tls_loglevel = 0
                > smtp_tls_mandatory_ciphers = medium
                > smtp_tls_mandatory_exclude_ciphers =
                > smtp_tls_mandatory_protocols = SSLv3, TLSv1
                > smtp_tls_note_starttls_offer = yes
                > smtp_tls_per_site =
                > smtp_tls_policy_maps =
                > smtp_tls_scert_verifydepth = 9
                > smtp_tls_secure_cert_match = nexthop, dot-nexthop
                > smtp_tls_security_level = verify
                > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
                > smtp_tls_session_cache_timeout = 3600s
                > smtp_tls_verify_cert_match = hostname
                > smtp_use_tls = yes
                > smtp_xforward_timeout = 300s
                > smtpd_authorized_verp_clients = $authorized_verp_clients
                > smtpd_authorized_xclient_hosts =
                > smtpd_authorized_xforward_hosts =
                > smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
                > smtpd_client_connection_count_limit = 50
                > smtpd_client_connection_rate_limit = 0
                > smtpd_client_event_limit_exceptions =
                > ${smtpd_client_connection_limit_exceptions:$mynetworks}
                > smtpd_client_message_rate_limit = 0
                > smtpd_client_new_tls_session_rate_limit = 0
                > smtpd_client_port_logging = no
                > smtpd_client_recipient_rate_limit = 0
                > smtpd_client_restrictions =
                > smtpd_data_restrictions =
                > smtpd_delay_open_until_valid_rcpt = yes
                > smtpd_delay_reject = yes
                > smtpd_discard_ehlo_keyword_address_maps =
                > smtpd_discard_ehlo_keywords =
                > smtpd_end_of_data_restrictions =
                > smtpd_enforce_tls = no
                > smtpd_error_sleep_time = 1s
                > smtpd_etrn_restrictions =
                > smtpd_expansion_filter =
                > \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
                > smtpd_forbidden_commands = CONNECT GET POST
                > smtpd_hard_error_limit = 20
                > smtpd_helo_required = no
                > smtpd_helo_restrictions =
                > smtpd_history_flush_threshold = 100
                > smtpd_junk_command_limit = 100
                > smtpd_milters =
                > smtpd_noop_commands =
                > smtpd_null_access_lookup_key = <>
                > smtpd_peername_lookup = yes
                > smtpd_policy_service_max_idle = 300s
                > smtpd_policy_service_max_ttl = 1000s
                > smtpd_policy_service_timeout = 100s
                > smtpd_proxy_ehlo = $myhostname
                > smtpd_proxy_filter =
                > smtpd_proxy_timeout = 100s
                > smtpd_recipient_limit = 1000
                > smtpd_recipient_overshoot_limit = 1000
                > smtpd_recipient_restrictions = permit_sasl_authenticated,
                > permit_mynetworks reject_unauth_destination
                > smtpd_reject_unlisted_recipient = yes
                > smtpd_reject_unlisted_sender = no
                > smtpd_restriction_classes =
                > smtpd_sasl_auth_enable = yes
                > smtpd_sasl_authenticated_header = yes
                > smtpd_sasl_exceptions_networks =
                > smtpd_sasl_local_domain =
                > smtpd_sasl_path = private/auth
                > smtpd_sasl_security_options = noanonymous
                > smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
                > smtpd_sasl_type = dovecot
                > smtpd_sender_login_maps = ldap:/etc/postfix/ldap_aliases.cf
                > smtpd_sender_restrictions =
                > smtpd_soft_error_limit = 10
                > smtpd_starttls_timeout = 300s
                > smtpd_timeout = 300s
                > smtpd_tls_CAfile = /etc/ssl/TERENASSL_PATH.pem
                > smtpd_tls_CApath =
                > smtpd_tls_always_issue_session_ids = yes
                > smtpd_tls_ask_ccert = no
                > smtpd_tls_auth_only = no
                > smtpd_tls_ccert_verifydepth = 9
                > smtpd_tls_cert_file = /etc/ssl/myserver.crt
                > smtpd_tls_dcert_file =
                > smtpd_tls_dh1024_param_file =
                > smtpd_tls_dh512_param_file =
                > smtpd_tls_dkey_file = $smtpd_tls_dcert_file
                > smtpd_tls_exclude_ciphers =
                > smtpd_tls_fingerprint_digest = md5
                > smtpd_tls_key_file = /etc/ssl/private/jupiter_myserver.pem
                > smtpd_tls_loglevel = 2
                > smtpd_tls_mandatory_ciphers = medium
                > smtpd_tls_mandatory_exclude_ciphers =
                > smtpd_tls_mandatory_protocols = SSLv3, TLSv1
                > smtpd_tls_received_header = yes
                > smtpd_tls_req_ccert = no
                > smtpd_tls_security_level =
                > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
                > smtpd_tls_session_cache_timeout = 3600s
                > smtpd_tls_wrappermode = no
                > smtpd_use_tls = yes
                >
                >
                > Please is critical to solve this problem, all messages are being
                > deferred!!!
                >
                > THanks
                >
              • Viktor Dukhovni
                ... Configuring CApath is a lot more complicated than setting up a CAfile. When you have exactly one root CA to verify (the one used by the ISP s relay) there
                Message 7 of 10 , Feb 10, 2013
                • 0 Attachment
                  On Sun, Feb 10, 2013 at 01:46:59PM +0100, deconya wrote:

                  > status=deferred (Server certificate not verified)
                  >
                  > I was looking all the information about it in howots, and seems that the
                  > problem is when my server exchanges credentials with smarthost. It seems
                  > that not recognizes the CA certificates from destination, and Im with
                  > two questions
                  >
                  > -What file is looking for smtp_tls_CApath=/certs, all? (Im refering the
                  > name of file), needs to use a special name? At now for recomedation of
                  > you and using howto of postfix I change this to

                  Configuring CApath is a lot more complicated than setting up a CAfile.
                  When you have exactly one root CA to verify (the one used by the ISP's
                  relay) there is little benefit in managing a "herd" (choose your
                  favourite collective noun) of certificates via CApath.

                  > smtp_tls_CApath = /var/spool/postfix/certs
                  > smtpd_tls_CApath = /var/spool/postfix/certs

                  Instead:

                  /etc/postfix/main.cf:
                  # Empty
                  smtpd_tls_CApath =
                  smtpd_tls_CAfile =
                  smtp_tls_CApath =

                  # Copy PEM format root CA cert into this file
                  smtp_tls_CAfile = ${config_directory}/smtp_CAfile

                  /etc/postfix/smtp_CAfile:
                  -----BEGIN CERTIFICATE-----
                  ...
                  -----END CERTIFICATE-----

                  Obtain the root CA certificate for the relay's smtp server in PEM
                  format (base64-encoded text between -----BEGIN, -----END line pairs)
                  from a trusted source and copy it into the CA file. Verify that
                  the file is well-formed by running:

                  openssl x509 -in /etc/postfix/smtp_CAfile -noout \
                  -subject -issuer -dates -sha1 -fingerprint

                  This must produce no errors and report the DN of the expected root
                  CA as both subject and issuer. The certificate must not be expired,
                  and typically is valid for 10-20 years. You can usually "google"
                  the sha1 fingerprint to find various online copies of the same CA
                  certificate.

                  You can store multiple trusted roots in a single CAfile, just
                  concatenate individual files with PEM format trusted root CA certs.

                  --
                  Viktor.
                • deconya
                  Hi Thanks for you answers I continue with the problem and I don t know where I can check more. At now the situation is -Sends mails deferred -In logs appears:
                  Message 8 of 10 , Feb 11, 2013
                  • 0 Attachment
                    Hi

                    Thanks for you answers

                    I continue with the problem and I don't know where I can check more. At
                    now the situation is

                    -Sends mails deferred

                    -In logs appears:

                    Feb 12 01:20:50 mailserver postfix/smtpd[16653]: warning:
                    smtpd_tls_security_level: unsupported TLS level "verify", using "encrypt"
                    Feb 12 01:20:50 mailserver postfix/smtpd[16653]: initializing the
                    server-side TLS engine
                    Feb 12 01:20:50 mailserver postfix/tlsmgr[16655]: open smtpd TLS cache
                    btree:/var/lib/postfix/smtpd_scache
                    Feb 12 01:20:50 mailserver postfix/tlsmgr[16655]:
                    tlsmgr_cache_run_event: start TLS smtpd session cache cleanup
                    Feb 12 01:20:50 mailserver postfix/smtpd[16653]: connect from
                    unknown[194.183.97.58]
                    Feb 12 01:20:51 mailserver postfix/smtpd[16653]: setting up TLS
                    connection from unknown[194.183.97.58]
                    Feb 12 01:20:51 mailserver postfix/smtpd[16653]: unknown[194.183.97.58]:
                    TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
                    Feb 12 01:20:51 mailserver postfix/smtpd[16653]:
                    SSL_accept:before/accept initialization
                    Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 read
                    client hello B
                    Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
                    server hello A
                    Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
                    certificate A
                    Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
                    key exchange A
                    Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
                    server done A
                    Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 flush data
                    Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 read
                    client key exchange A
                    Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 read
                    finished A
                    Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:unknown state
                    Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
                    change cipher spec A
                    Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 write
                    finished A
                    Feb 12 01:20:52 mailserver postfix/smtpd[16653]: SSL_accept:SSLv3 flush data
                    Feb 12 01:20:52 mailserver postfix/smtpd[16653]: Anonymous TLS
                    connection established from unknown[194.183.97.58]: TLSv1 with cipher
                    DHE-RSA-AES256-SHA (256/256 bits)
                    Feb 12 01:20:52 mailserver dovecot: auth(default): client in:
                    AUTH^I1^IPLAIN^Iservice=smtp^Inologin^Iresp=AG1hcmNvcy5nb256YWxlekBlc2NpLnVwZi5lZHUAYVYzcnlMMG5nUDRzc3cwcmQ=
                    Feb 12 01:20:52 mailserver postfix/smtpd[16653]: D88A97A0C9C:
                    client=unknown[194.183.97.58], sasl_method=PLAIN, sasl_username=usertest
                    Feb 12 01:20:53 mailserver postfix/smtpd[16653]: disconnect from
                    unknown[194.183.97.58]
                    Feb 12 01:20:53 mailserver postfix/smtp[16660]: D88A97A0C9C: Server
                    certificate not verified
                    Feb 12 01:20:56 mailserver postfix/smtp[16660]: D88A97A0C9C:
                    to=<mail@...>, relay=mysmarthost[130.206.18.4]:25, delay=3.3,
                    delays=0.48/0.01/2.8/0, dsn=4.7.5, status=deferred (Server certificate
                    not verified)

                    And postconf filtered by smtp is:

                    default_transport = smtp
                    lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
                    non_smtpd_milters =
                    parent_domain_matches_subdomains =
                    debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
                    proxy_read_maps = $local_recipient_maps $mydestination
                    $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
                    $virtual_mailbox_domains $relay_recipient_maps $relay_domains
                    $canonical_maps $sender_canonical_maps $recipient_canonical_maps
                    $relocated_maps $transport_maps $mynetworks $sender_bcc_maps
                    $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
                    proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
                    relayhost = myrelay
                    smtp_always_send_ehlo = yes
                    smtp_bind_address =
                    smtp_bind_address6 =
                    smtp_body_checks =
                    smtp_cname_overrides_servername = no
                    smtp_connect_timeout = 30s
                    smtp_connection_cache_destinations =
                    smtp_connection_cache_on_demand = yes
                    smtp_connection_cache_time_limit = 2s
                    smtp_connection_reuse_time_limit = 300s
                    smtp_data_done_timeout = 600s
                    smtp_data_init_timeout = 120s
                    smtp_data_xfer_timeout = 180s
                    smtp_defer_if_no_mx_address_found = no
                    smtp_destination_concurrency_failed_cohort_limit =
                    $default_destination_concurrency_failed_cohort_limit
                    smtp_destination_concurrency_limit = $default_destination_concurrency_limit
                    smtp_destination_concurrency_negative_feedback =
                    $default_destination_concurrency_negative_feedback
                    smtp_destination_concurrency_positive_feedback =
                    $default_destination_concurrency_positive_feedback
                    smtp_destination_rate_delay = $default_destination_rate_delay
                    smtp_destination_recipient_limit = $default_destination_recipient_limit
                    smtp_discard_ehlo_keyword_address_maps =
                    smtp_discard_ehlo_keywords =
                    smtp_enforce_tls = no
                    smtp_fallback_relay = $fallback_relay
                    smtp_generic_maps =
                    smtp_header_checks =
                    smtp_helo_name = $myhostname
                    smtp_helo_timeout = 300s
                    smtp_host_lookup = dns
                    smtp_initial_destination_concurrency = $initial_destination_concurrency
                    smtp_line_length_limit = 990
                    smtp_mail_timeout = 300s
                    smtp_mime_header_checks =
                    smtp_mx_address_limit = 5
                    smtp_mx_session_limit = 2
                    smtp_nested_header_checks =
                    smtp_never_send_ehlo = no
                    smtp_pix_workaround_delay_time = 10s
                    smtp_pix_workaround_maps =
                    smtp_pix_workaround_threshold_time = 500s
                    smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
                    smtp_quit_timeout = 300s
                    smtp_quote_rfc821_envelope = yes
                    smtp_randomize_addresses = yes
                    smtp_rcpt_timeout = 300s
                    smtp_rset_timeout = 20s
                    smtp_sasl_auth_cache_name =
                    smtp_sasl_auth_cache_time = 90d
                    smtp_sasl_auth_enable = no
                    smtp_sasl_auth_soft_bounce = yes
                    smtp_sasl_mechanism_filter =
                    smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
                    smtp_sasl_path =
                    smtp_sasl_security_options = noanonymous
                    smtp_sasl_tls_security_options = $smtp_sasl_security_options
                    smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
                    smtp_sasl_type = cyrus
                    smtp_send_xforward_command = no
                    smtp_sender_dependent_authentication = no
                    smtp_skip_5xx_greeting = yes
                    smtp_skip_quit_response = yes
                    smtp_starttls_timeout = 300s
                    smtp_tls_CAfile = /etc/ssl/certs/TERENASSL_PATH.pem.1
                    smtp_tls_CApath = /etc/ssl/certs
                    smtp_tls_cert_file = /etc/ssl/mydomain.crt
                    smtp_tls_dcert_file =
                    smtp_tls_dkey_file = $smtp_tls_dcert_file
                    smtp_tls_enforce_peername = yes
                    smtp_tls_exclude_ciphers =
                    smtp_tls_fingerprint_cert_match =
                    smtp_tls_fingerprint_digest = md5
                    smtp_tls_key_file = /etc/ssl/private/jupiter_mydomain.pem
                    smtp_tls_loglevel = 0
                    smtp_tls_mandatory_ciphers = medium
                    smtp_tls_mandatory_exclude_ciphers =
                    smtp_tls_mandatory_protocols = SSLv3, TLSv1
                    smtp_tls_note_starttls_offer = no
                    smtp_tls_per_site =
                    smtp_tls_policy_maps =
                    smtp_tls_scert_verifydepth = 9
                    smtp_tls_secure_cert_match = nexthop, dot-nexthop
                    smtp_tls_security_level = verify
                    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
                    smtp_tls_session_cache_timeout = 3600s
                    smtp_tls_verify_cert_match = hostname
                    smtp_use_tls = yes
                    smtp_xforward_timeout = 300s
                    smtpd_authorized_verp_clients = $authorized_verp_clients
                    smtpd_authorized_xclient_hosts =
                    smtpd_authorized_xforward_hosts =
                    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
                    smtpd_client_connection_count_limit = 50
                    smtpd_client_connection_rate_limit = 0
                    smtpd_client_event_limit_exceptions =
                    ${smtpd_client_connection_limit_exceptions:$mynetworks}
                    smtpd_client_message_rate_limit = 0
                    smtpd_client_new_tls_session_rate_limit = 0
                    smtpd_client_port_logging = no
                    smtpd_client_recipient_rate_limit = 0
                    smtpd_client_restrictions =
                    smtpd_data_restrictions =
                    smtpd_delay_open_until_valid_rcpt = yes
                    smtpd_delay_reject = yes
                    smtpd_discard_ehlo_keyword_address_maps =
                    smtpd_discard_ehlo_keywords =
                    smtpd_end_of_data_restrictions =
                    smtpd_enforce_tls = no
                    smtpd_error_sleep_time = 1s
                    smtpd_etrn_restrictions =
                    smtpd_expansion_filter =
                    \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
                    smtpd_forbidden_commands = CONNECT GET POST
                    smtpd_hard_error_limit = 20
                    smtpd_helo_required = no
                    smtpd_helo_restrictions =
                    smtpd_history_flush_threshold = 100
                    smtpd_junk_command_limit = 100
                    smtpd_milters =
                    smtpd_noop_commands =
                    smtpd_null_access_lookup_key = <>
                    smtpd_peername_lookup = yes
                    smtpd_policy_service_max_idle = 300s
                    smtpd_policy_service_max_ttl = 1000s
                    smtpd_policy_service_timeout = 100s
                    smtpd_proxy_ehlo = $myhostname
                    smtpd_proxy_filter =
                    smtpd_proxy_timeout = 100s
                    smtpd_recipient_limit = 1000
                    smtpd_recipient_overshoot_limit = 1000
                    smtpd_recipient_restrictions = permit_sasl_authenticated,
                    permit_mynetworks, reject_unauth_destination
                    smtpd_reject_unlisted_recipient = yes
                    smtpd_reject_unlisted_sender = no
                    smtpd_restriction_classes =
                    smtpd_sasl_auth_enable = yes
                    smtpd_sasl_authenticated_header = yes
                    smtpd_sasl_exceptions_networks =
                    smtpd_sasl_local_domain =
                    smtpd_sasl_path = private/auth
                    smtpd_sasl_security_options = noanonymous
                    smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
                    smtpd_sasl_type = dovecot
                    smtpd_sender_login_maps = ldap:/etc/postfix/ldap_aliases.cf
                    smtpd_sender_restrictions =
                    smtpd_soft_error_limit = 10
                    smtpd_starttls_timeout = 300s
                    smtpd_timeout = 300s
                    smtpd_tls_CAfile = /etc/ssl/certs/TERENASSL_PATH.pem.1
                    smtpd_tls_CApath = /etc/ssl/certs
                    smtpd_tls_always_issue_session_ids = yes
                    smtpd_tls_ask_ccert = no
                    smtpd_tls_auth_only = no
                    smtpd_tls_ccert_verifydepth = 9
                    smtpd_tls_cert_file = /etc/ssl/mydomain.crt
                    smtpd_tls_dcert_file =
                    smtpd_tls_dh1024_param_file =
                    smtpd_tls_dh512_param_file =
                    smtpd_tls_dkey_file = $smtpd_tls_dcert_file
                    smtpd_tls_exclude_ciphers =
                    smtpd_tls_fingerprint_digest = md5
                    smtpd_tls_key_file = /etc/ssl/private/jupiter_mydomain.pem
                    smtpd_tls_loglevel = 2
                    smtpd_tls_mandatory_ciphers = medium
                    smtpd_tls_mandatory_exclude_ciphers =
                    smtpd_tls_mandatory_protocols = SSLv3, TLSv1
                    smtpd_tls_received_header = yes
                    smtpd_tls_req_ccert = no
                    smtpd_tls_security_level = verify
                    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
                    smtpd_tls_session_cache_timeout = 3600s
                    smtpd_tls_wrappermode = no
                    smtpd_use_tls = yes

                    If anyone knows what I can do I'll be grateful, is maddening :-(

                    Best Regards

                    El 10/02/13 18:59, Viktor Dukhovni escribió:
                    > On Sun, Feb 10, 2013 at 01:46:59PM +0100, deconya wrote:
                    >
                    >> status=deferred (Server certificate not verified)
                    >>
                    >> I was looking all the information about it in howots, and seems that the
                    >> problem is when my server exchanges credentials with smarthost. It seems
                    >> that not recognizes the CA certificates from destination, and Im with
                    >> two questions
                    >>
                    >> -What file is looking for smtp_tls_CApath=/certs, all? (Im refering the
                    >> name of file), needs to use a special name? At now for recomedation of
                    >> you and using howto of postfix I change this to
                    > Configuring CApath is a lot more complicated than setting up a CAfile.
                    > When you have exactly one root CA to verify (the one used by the ISP's
                    > relay) there is little benefit in managing a "herd" (choose your
                    > favourite collective noun) of certificates via CApath.
                    >
                    >> smtp_tls_CApath = /var/spool/postfix/certs
                    >> smtpd_tls_CApath = /var/spool/postfix/certs
                    > Instead:
                    >
                    > /etc/postfix/main.cf:
                    > # Empty
                    > smtpd_tls_CApath =
                    > smtpd_tls_CAfile =
                    > smtp_tls_CApath =
                    >
                    > # Copy PEM format root CA cert into this file
                    > smtp_tls_CAfile = ${config_directory}/smtp_CAfile
                    >
                    > /etc/postfix/smtp_CAfile:
                    > -----BEGIN CERTIFICATE-----
                    > ...
                    > -----END CERTIFICATE-----
                    >
                    > Obtain the root CA certificate for the relay's smtp server in PEM
                    > format (base64-encoded text between -----BEGIN, -----END line pairs)
                    > from a trusted source and copy it into the CA file. Verify that
                    > the file is well-formed by running:
                    >
                    > openssl x509 -in /etc/postfix/smtp_CAfile -noout \
                    > -subject -issuer -dates -sha1 -fingerprint
                    >
                    > This must produce no errors and report the DN of the expected root
                    > CA as both subject and issuer. The certificate must not be expired,
                    > and typically is valid for 10-20 years. You can usually "google"
                    > the sha1 fingerprint to find various online copies of the same CA
                    > certificate.
                    >
                    > You can store multiple trusted roots in a single CAfile, just
                    > concatenate individual files with PEM format trusted root CA certs.
                    >
                  • Viktor Dukhovni
                    ... I give up, you still can t pay attention long enough to distinguish smtp_tls_security_level from smtpd_tls_security_level . Good luck, over and out. --
                    Message 9 of 10 , Feb 11, 2013
                    • 0 Attachment
                      On Tue, Feb 12, 2013 at 01:36:15AM +0100, deconya wrote:

                      > Thanks for you answers
                      >
                      > I continue with the problem and I don't know where I can check more. At
                      > now the situation is
                      >
                      > -Sends mails deferred
                      >
                      > -In logs appears:
                      >
                      > Feb 12 01:20:50 mailserver postfix/smtpd[16653]: warning:
                      > smtpd_tls_security_level: unsupported TLS level "verify", using "encrypt"
                      > Feb 12 01:20:50 mailserver postfix/smtpd[16653]: initializing the
                      > server-side TLS engine

                      I give up, you still can't pay attention long enough to distinguish
                      "smtp_tls_security_level" from "smtpd_tls_security_level". Good luck,
                      over and out.

                      --
                      Viktor.
                    • deconya
                      Hi Victor I understand that only is needed to use smtp_tls_security_level? O not need two options? In main.cf I have: #TLS SMTPD PARAMTERES smtpd_use_tls = yes
                      Message 10 of 10 , Feb 12, 2013
                      • 0 Attachment
                        Hi Victor

                        I understand that only is needed to use smtp_tls_security_level? O not need two options?

                        In main.cf I have:

                        #TLS SMTPD PARAMTERES
                        smtpd_use_tls = yes
                        smtpd_tls_CAfile = /etc/ssl/certs/TERENASSL_PATH.pem
                        smtpd_tls_key_file = /etc/ssl/private/jupiter_mydomain.pem
                        smtpd_tls_cert_file = /etc/ssl/mydomain.crt
                        smtpd_tls_CApath = /etc/ssl/certs
                        smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
                        smtpd_tls_loglevel = 2
                        smtpd_tls_received_header = yes
                        smtpd_tls_session_cache_timeout = 3600s
                        #smtpd_tls_security_level = verify

                        smtp_use_tls = yes
                        smtp_tls_CAfile = /etc/ssl/certs/TERENASSL_PATH.pem
                        smtp_tls_security_level = verify
                        smtp_tls_key_file = /etc/ssl/private/jupiter_mydomain.pem
                        smtp_tls_cert_file = /etc/ssl/mydomain.crt
                        smtp_tls_CApath = /etc/ssl/certs
                        smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
                        #smtp_tls_note_starttls_offer = yes


                        #SASL
                        relayhost = smtp.myrelayhost
                        smtpd_sasl_auth_enable = yes
                        smtpd_sasl_authenticated_header = yes
                        smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
                        smtp_sasl_security_options = noanonymous
                        smtpd_sasl_security_options = noanonymous
                        #smtpd_sasl_local_domain =
                        smtpd_sasl_type = dovecot
                        smtpd_sasl_path = private/auth

                        broken_sasl_auth_clients = yes
                        smtpd_sender_login_maps = ldap:/etc/postfix/ldap_aliases.cf
                        smtpd_recipient_restrictions =
                                permit_sasl_authenticated,
                                permit_mynetworks,
                                reject_unauth_destination

                        tls_random_source = dev:/dev/urandom

                        smtpd_delay_reject = yes

                        What can I do to accept the connection to myrelayhost?

                        Best Regards


                        -----Mensaje original-----
                        De: Viktor Dukhovni <postfix-users@...>
                        Reply-to: postfix-users@...
                        Para: postfix-users@...
                        Asunto: Re: error using certificate server
                        Fecha: Tue, 12 Feb 2013 07:01:24 +0000

                        On Tue, Feb 12, 2013 at 01:36:15AM +0100, deconya wrote: > Thanks for you answers > > I continue with the problem and I don't know where I can check more. At > now the situation is > > -Sends mails deferred > > -In logs appears: > > Feb 12 01:20:50 mailserver postfix/smtpd[16653]: warning: > smtpd_tls_security_level: unsupported TLS level "verify", using "encrypt" > Feb 12 01:20:50 mailserver postfix/smtpd[16653]: initializing the > server-side TLS engine I give up, you still can't pay attention long enough to distinguish "smtp_tls_security_level" from "smtpd_tls_security_level". Good luck, over and out. -- Viktor.
                      Your message has been successfully submitted and would be delivered to recipients shortly.