Bug 700735

Summary: Configuring mailserver with Yast2 and specifying TLS support does not enable tlsmgr in master.cf
Product: [openSUSE] openSUSE 11.4 Reporter: Freek de Kruijf <freek>
Component: YaST2Assignee: Peter Varkoly <varkoly>
Status: VERIFIED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P5 - None    
Version: Final   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE 11.4   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Freek de Kruijf 2011-06-17 22:45:34 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Configuring the mailserver in Yast2, one can enable a relayhost that needs TLS and authentication. The proper entries in main.cf and the files sasl_password* are generated.
However in that case the hash in front of the line with tlsmgr in master.cf needs to be removed. Yast2 should do that.
After doing that I received a message in /var/log/mail that the Server certificate was not trusted. It should be an option to enter the certificate or the filename of the certificate to overcome that problem.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Comment 1 Freek de Kruijf 2011-06-18 09:25:33 UTC 
On the last issue about the certificate, I entered the following line in main.cf which solved the problem:

smtp_tls_CApath = /etc/ssl/certs

It turns out that there is an issue with OpenSSL here. In case smtp_tls_CAfile or smtp_tls_CApath is not empty the OpenSSL API is used to do the work. However the default seems to be that OpenSSL uses the certs in /etc/ssl/certs anyway.
See the discussion on:
http://tech.groups.yahoo.com/group/postfix-users/message/266353
What I understood from the discussion is that it is better to copy the proper certificates from the /etc/ssl/certs to the map /etc/postfix/certs and enter /etc/postfix/certs as the value of the above smtp_tls_CApath parameter. However one needs to to use a command c_hash (from /usr/share/ssl/misc/c_hash ?) to generate hash entries in that map.

The above solution seems to be OK as long as the postfix daemon is not configured to accept connections based on these certs.
Comment 2 Peter Varkoly 2013-03-20 07:36:31 UTC 
Thank you and sorry. Since openSUSE12.2 smtp_tls_CApath will be set.