postfix CA bundle file under PPA - how to edit without risk of it being overwritten?

Discussion in 'Parallels Plesk Automation' started by GregHL, Aug 19, 2013.

  1. GregHL

    GregHL New Member

    Messages:
    126
    I see in the maillogs a number of errors lots of different Certificate Authorities - and some I really did NOT expect to see here:

    [root@web48002 admin]# grep ' certificate verification failed for' /usr/local/psa/var/log/maillog | wc -l
    998
    [root@web48002 admin]# grep ' certificate verification failed for' /usr/local/psa/var/log/maillog | head
    Aug 19 00:04:45 web48002 postfix/smtp[28115]: certificate verification failed for inbound.hsaforamerica.com.netsolmail.net[206.188.198.64]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    Aug 19 00:07:23 web48002 postfix/smtp[29376]: certificate verification failed for gmail-smtp-in.l.google.com[173.194.79.26]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    Aug 19 00:10:33 web48002 postfix/smtp[30788]: certificate verification failed for mailin-04.mx.aol.com[64.12.90.66]:25: untrusted issuer /C=US/O=America Online Inc./CN=America Online Root Certification Authority 1
    Aug 19 00:27:55 web48002 postfix/smtp[3951]: certificate verification failed for inbound.hsaforamerica.com.netsolmail.net[206.188.198.64]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    Aug 19 00:28:37 web48002 postfix/smtp[3951]: certificate verification failed for forwarding.frii.com[216.17.128.10]:25: untrusted issuer /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    Aug 19 00:30:29 web48002 postfix/smtp[5986]: certificate verification failed for gmail-smtp-in.l.google.com[173.194.79.26]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    Aug 19 00:34:38 web48002 postfix/smtp[6504]: certificate verification failed for inbound.hsaforamerica.com.netsolmail.net[206.188.198.64]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    Aug 19 00:34:39 web48002 postfix/smtp[6513]: certificate verification failed for inbound.hsaforamerica.com.netsolmail.net[206.188.198.64]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    Aug 19 00:48:44 web48002 postfix/smtp[13507]: certificate verification failed for mailin-04.mx.aol.com[64.12.138.161]:25: untrusted issuer /C=US/O=America Online Inc./CN=America Online Root Certification Authority 1
    Aug 19 00:58:04 web48002 postfix/smtp[19431]: certificate verification failed for forwarding.frii.com[216.17.128.10]:25: untrusted issuer /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    [root@web48002 admin]# grep ' certificate verification failed for' /usr/local/psa/var/log/maillog | cut -d\] -f2- | sort -u
    : certificate verification failed for 855701873.mail.outlook.com[213.199.154.254]:25: untrusted issuer /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
    : certificate verification failed for alt1.aspmx.l.google.com[74.125.137.26]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    : certificate verification failed for alt2.aspmx.l.google.com[173.194.74.27]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    : certificate verification failed for a.mx.eset.com[89.202.157.229]:25: self-signed certificate
    : certificate verification failed for appmx1-sc9.netsuite.com[167.216.129.174]:25: untrusted issuer /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
    : certificate verification failed for argarza.com.mx[174.121.78.226]:25: untrusted issuer /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
    : certificate verification failed for arscorpsw1.air-resource.com[12.45.118.195]:25: self-signed certificate
    : certificate verification failed for asp-0.reflexion.net[69.84.129.233]:25: untrusted issuer /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    : certificate verification failed for asp-4.reflexion.net[69.84.129.233]:25: untrusted issuer /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    : certificate verification failed for a.spamfilter.steadfast.net[216.86.146.40]:25: untrusted issuer /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    : certificate verification failed for a.spamfilter.steadfast.net[67.202.100.15]:25: untrusted issuer /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    : certificate verification failed for aspmx.l.google.com[173.194.79.26]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    : certificate verification failed for aspmx.l.google.com[173.194.79.27]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    : certificate verification failed for aspmx.l.google.com[74.125.129.26]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    : certificate verification failed for aspmx.l.google.com[74.125.25.26]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    : certificate verification failed for aspmx.l.google.com[74.125.25.27]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    : certificate verification failed for asp.reflexion.net[69.84.129.233]:25: untrusted issuer /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    : certificate verification failed for b.spamfilter.steadfast.net[67.202.100.17]:25: untrusted issuer /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    :[snip] - there are TONS of these...
    [root@web48002 admin]#


    How/where do we edit our CA file under Postfix - and why is the standard one installed by PPA not including some of these VERY MAJOR CAs?!?

    I would like instructions on how to edit this in a manner that it will not get overwritten by some PPA update or yum update please.
  2. IgorG

    IgorG Parallels Team

    Messages:
    16,111
    As possible solution you need to specify option smtp_tls_CAfile in /etc/postfix/main.cf file. More details here - http://giantdorks.org/alain/fix-for-postfix-untrusted-certificate-tls-error/
    Also if you have CentOS, you can just try to update default Postfix certificate with

    # curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

    or just update openssl package to latest version.

    BTW, The Equifax Secure Certificate Authority can be found here - https://www.geotrust.com/resources/root-certificates/index.html
  3. GregHL

    GregHL New Member

    Messages:
    126
    thank you for the info - fyi - my openssl is up to date.


    to for those that need step-by-step instructions - here is what I did using the post from Igor - and it appears to have fixed all the SSL errors in my maillog:

    Code:
    # mkdir ~root/pem-files;
    # cd ~root/pem-files/;
    # wget http://curl.haxx.se/ca/cacert.pem;
    # wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.pem;
    # wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_eBusiness_CA-1.pem;
    # wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Global_eBusiness_CA-1.pem;
    # cat cacert.pem Equi*pem > cacert-master.pem;
    # cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.back;
    # cat cacert-master.pem > /etc/pki/tls/certs/ca-bundle.crt;
    then - edit /etc/postfix/main.cf

    find the section relating to smtp_cls and add this line [mine was around the line 683]:

    Code:
    smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
    then restart postifx - on CentOS that's is:

    Code:
    # service postfix restart
    I ran a continuous tail on /usr/local/psa/var/log/maillog to watch for more errors:

    Code:
     tail -f /usr/local/psa/var/log/maillog

Share This Page