certificate error

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

certificate error

Davy Leon
Hi folks
 
I'm getting this message in my /var/log/maillog everytime postfix delivers a message. The message is delivered, but it logs this message. How can I solve this?
 
Thanks
 
Davy
 
 
Jan  6 18:17:25 centrino postfix/smtp[3699]: certificate verification failed for smarthost.example.com: num=20:unable to get local issuer certificate
Jan  6 18:17:25 centrino postfix/smtp[3699]: certificate verification failed for smarthost.example.com: num=27:certificate not trusted
Jan  6 18:17:25 centrino postfix/smtp[3699]: certificate verification failed for smarthost.example.com: num=21:unable to verify the first certificate
Reply | Threaded
Open this post in threaded view
|

Re: certificate error

Barney Desmond
2010/1/8 Davy Leon <[hidden email]>:

> I'm getting this message in my /var/log/maillog everytime postfix delivers a
> message. The message is delivered, but it logs this message. How can I solve
> this?
>
> Jan  6 18:17:25 centrino postfix/smtp[3699]: certificate verification failed
> for smarthost.example.com: num=20:unable to get local issuer certificate
> Jan  6 18:17:25 centrino postfix/smtp[3699]: certificate verification failed
> for smarthost.example.com: num=27:certificate not trusted
> Jan  6 18:17:25 centrino postfix/smtp[3699]: certificate verification failed
> for smarthost.example.com: num=21:unable to verify the first certificate

I'm not certain, but it sounds like your Postfix is setup to do
opportunistic TLS in the SMTP client, which is fine. I believe it's
saying that the certificate-signer's identity (the CA) can't be
verified, which is expected if smarthost.example.com has a self-signed
cert (just one explanation).

This may clarify things for you:
http://www.postfix.org/postconf.5.html#smtp_tls_CAfile

I wouldn't worry too much though, hardly any public SMTP servers out
there have "proper" signed certificates. Correctly configured and
verifiable chains of trust on the internet are pretty rare, and offer
little real value unless you have a defined policy and enforce the use
of TLS accordingly.