Kirill Miazine <km@???> wrote:
>> configure says:
>>
>> tls_certificate = smtp.crt
>> tls_privatekey = smtp.key
>> tls_advertise_hosts = *
>>
>> smtp.crt and smtp.key are located in /usr/local/ssl/certs?
>
> Use full path in tls_certificate and tls_privatekey.
Might seem obvious to you, but the documentation I was reading implied
that certificates were picked up from /usr/local/ssl/certs by default and
the full path was not required.
This TLS/SSL really isnt documented very well is it. Security by
obscurity indeed...
The next problem I had was when STARTTLS was sent, the server asked for
the PEM Passphrase, which broke the SMTP dialogue somewhat. Nowhere does
it say in any docs that the private key has to be unencrypted... Most
recommend that it is encrypted. Once that was fixed it worked.
The next problem I had was certificate chains to establish trust to the
root CA did not work. I established that each certificate must have one
line in between each begin and end statement, and they need to be in the
right order, server certificate first, root CA last. The line between
each certificate in the chain wasnt documented anywhere.