Postfix (Ubuntu 14.04) SSL Certificates Differ – Anything to really worry about

postfixssl-certificate

I've got an Ubuntu 14.04 server running Postfix – which is sending mail via an external host (Mandrill).

I've got no issues sending email – but (prior to disabling TLS – which seems to have caused no issue) – on each email sent I'd get the error –

postfix/postfix-script[4557]: warning:
/var/spool/postfix/etc/ssl/certs/ca-certificates.crt and
/etc/ssl/certs/ca-certificates.crt differ

Since disabling TLS I no longer get the warning when sending an email (not supprising) – however it's seen on starting the service (and on scheduled cron service checks).

The server hosts multiple domains – but only sends emails from one.

The obvious solution it seems would be to copy over the certificate files to the Postfix directory (would love a reminded on which files other than the .crt I need to move!)?

Or is this a warning I don't really need to worry about?

Any help much appreciated.

Richard.

Best Answer

You don't really need to worry about it, for several reasons.

The proximate cause of the log message is that various parts of Postfix run chrooted under /var/spool/postfix, and so those parts will look in /var/spool/postfix/etc/ssl/certs/ca-certificates.crt to get list of TLS trust anchors used to validate certificates presented. In theory, an out-of-date ca-certificates.crt could mean that those chrooted parts of Postfix might not recognise a "valid" certificate as such, or fail to distrust a certificate issued by a since-detrusted CA. In practice, the list of trusted roots changes so infrequently that it's unlikely to be a problem.
SMTP-over-TLS is not like HTTPS, with regards to the trustworthiness of certificates. Practically no SMTP server running on the Internet today checks that the certificates that are presented are trustworthy, because so many certificates fail validation -- either because of name mismatches, expiration, or issuance by an untrusted CA (usually self-signed, but not always). SMTP operators, in general, are of the opinion that passive attackers are of greater concern than active attackers, so encryption to an untrusted endpoint is better than not encrypting (which is what would automatically happen if the TLS-protected connection was rejected).

Yes, the obvious solution is to copy over the file that is being complained about, into the chroot. There's no other files to copy, because it isn't Postfix's own key/cert pair you're copying, it's only the list of trust anchors, which are all contained in a single file.

Related Solutions

Postfix rejects all incoming mail (Client host rejected: Access denied)

I think you need to put mydestination = mydomain.com in your config.

Next guess: We know the domain is right and that SASL works... so what I now suspect is that we're seeing an error in your restrictions. I'd start with recipient_restrictions and remove every rejection after permit_sasl_authenticated. If that works, add them back one at a time. If not, your next test is sender_restrictions.

SquirrelMail inbox blank, emails not being stored correctly

As documented, in order to deliver in maildir format, the mailbox location must end with a slash:

joe@example.com  example.com/joe/

This, and this only, tells postfix to deliver to a maildir.

Of course, there could be other problems preventing it from working, but we don't know.

Best Answer

Related Solutions

Postfix rejects all incoming mail (Client host rejected: Access denied)

SquirrelMail inbox blank, emails not being stored correctly

Related Topic