-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
hi tim,
Thanks for the input so far... I hear what you're saying about Mail.app but I provide email for a small group of friends and I need it to work with a variety of clients.
i was simply suggesting options for you to explore/investigate your problem with tools that might be of more help, not to suggest replacing your client of choice.
if you haven't, again, i'd simply suggest that you do.
I did, but i wasn't sure what it meant. I got an actual signed cert from cacerts.org and this is what i get when i try to verify it.
given what i'm seeing below, i'm going to suggest that you step-by-step it 1st with your own, home-grown CA cert ... just to see what's happening
dovecot.cert: /CN=mail.design1st.org error 29 at 0 depth lookup:subject issuer mismatch /CN=mail.design1st.org error 29 at 0 depth lookup:subject issuer mismatch /CN=mail.design1st.org error 29 at 0 depth lookup:subject issuer mismatch OK
all my self-signed certs look like this:
design1st.cert: /C=US/ST=California/L=Sunnyvale/O=Design1st Dot Org/ CN=design1st.org error 18 at 0 depth lookup:self signed certificate OK
This seemed more interesting, but also didn't help me:
design1st:/usr/local/openssl/certs root# openssl s_client -connect localhost:10943 -showcerts CONNECTED(00000003) depth=0 /CN=mail.design1st.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=mail.design1st.org verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=mail.design1st.org verify error:num=21:unable to verify the first certificate verify return:1
Certificate chain 0 s:/CN=mail.design1st.org i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org -----BEGIN CERTIFICATE----- snip -----END CERTIFICATE-----
Server certificate subject=/CN=mail.design1st.org issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
No client certificate CA names sent
SSL handshake has read 1681 bytes and written 340 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 1CDF45682A2292396C55FDEC04BD51B0F50F91E0A3447A096588A8A184C60706 Session-ID-ctx: Master-Key: 85513BB8BEA91C65A9DD5F14F7264BE2E108A15C8F1B4F88711DE61BF912450BBE28 6C 0008197298EC8A16CE8D11BF4B Key-Arg : None Start Time: 1157850811 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)
- OK Dovecot ready.
1st, take each of the errors and google on it ... there's lots of info out there.
unfortunately, you're gonna have to match what you find with your particular circumstance(s).
that said ... lemme guess at something here:
have you IMPORTED the cert into mail.app?
why do i ask? cref here:
Mac OS X Mail.app (native eMail application) for Signing / Encrypting http://wiki.cacert.org/wiki/EmailCertificates "these steps were needed because Apple does not ship with the cacert Root CA Certificate"
richard
/"
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments
[GPG] OpenMacNews at gmail dot com fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin)
iEYEARECAAYFAkUDl+0ACgkQlffdvTZxCMa0EwCgsIUowsMk6yLdy4TOb4ZSgAkP pwEAnRKE48MFdgacepl8qTQc6VxzWSI2 =pFSx -----END PGP SIGNATURE-----