[Bug 936266] [NEW] tls_append_default_CA and *_tls_CApath don't work

arty me at arty.name
Sun Feb 19 14:58:41 UTC 2012

Public bug reported:

I have an Ubuntu Maverick server with Postfix 2.8.2 on it. Looks like tls_append_default_CA has no effect on it.
When I send emails to Gmail I get message about failed certificate verification. There're many articles on solving this issue. The ones that I saw suggest suboptimal approach of adding Equifax CA certificate to your own CA certificate file [1]. I want to solve the issue in a better way.
First of all, Ubuntu ships Equifax_Secure_CA.pem and it's present in /etc/ssl/certs/. When I set 'smtp_tls_CAfile = /etc/ssl/certs/Equifax_Secure_CA.pem' [2] I get no verification errors, so I suppose the certificate is fine. But that will only fix errors for Gmail and other users of Equifax-signed certificates.
I want to use a more generic approach, so I unset smtp_tls_CAfile and set 'smtp_tls_CApath = /etc/ssl/certs' [3] and 'smtpd_tls_CApath = /etc/ssl/certs' [4]. In that configuration I see verification errors.
Documentation on [3] and [4] mentions tls_append_default_CA setting which defaults to 'no'[5]. I set 'tls_append_default_CA = yes'. In that configuration I see verification errors.
I unset smtp_tls_CApath and smtpd_tls_CApath. The only option about CA certificates is tls_append_default_CA now. In that configuration I see verification errors.
I set 'smtp_tls_CAfile = /etc/ssl/certs/cacert.pem' in addition to 'tls_append_default_CA = yes'. In that configuration I see verification errors.
Documentation for tls_append_default_CA says: "Append the system-supplied default certificate authority certificates to the ones specified with *_tls_CApath or *_tls_CAfile." I suppose that certificates in /etc/ssl/certs are system-supplied default certificate authority certificates. Apparently those are not added to *_tls_CApath or *_tls_CAfile.

I reported the issue to postfix-users at postfix.org mailing list. [6]
Wietse recommended me to try disabling chrooting and to report bug here.

I disabled chrooting. Having 'tls_append_default_CA = yes' in my
configuration I was still getting verification errors.

What might be the cause of that issue?
[1] http://stevejenkins.com/blog/2011/06/fixing-postfix-certificate-verification-failed-for-gmail-untrusted-issuer-error-message/
[2] http://www.postfix.org/postconf.5.html#smtp_tls_CAfile
[3] http://www.postfix.org/postconf.5.html#smtp_tls_CApath
[4] http://www.postfix.org/postconf.5.html#smtpd_tls_CApath
[5] http://www.postfix.org/postconf.5.html#tls_append_default_CA
[6] http://tech.groups.yahoo.com/group/postfix-users/message/283838
Regards, Artemy

** Affects: postfix (Ubuntu)
     Importance: Undecided
         Status: New

You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to postfix in Ubuntu.

  tls_append_default_CA and *_tls_CApath don't work

To manage notifications about this bug go to:

More information about the Ubuntu-server-bugs mailing list