Depends on what exactly is the problem you are seeing. If it's identical to the problem I have above, then no. Generally speaking SSL is not particularly effective from an e-mail perspective, only really preventing casual eavesdropping. Because the SSL connection isn't verified by a human anywhere almost all mail servers will blindly accept any SSL certificate given to them.
I.E. for e-mail there isn't a lot of point in getting a commercially signed SSL cert. Kernel.org, *FOR E-MAIL* uses a self signed certificate for reference*. The way I fixed the above was to pass the certificate as both the CA and the certificate, or basically that I trust myself from a certificate standpoint.
I haven't tried using CACert certs for mail, but depending on the error it could be (off the top of my head)
- Missconfigured CA / key in postfix - Can other mail servers, other than exchange communicate with you via ssl? Can you open a connection to the mail server using raw openssl (google for how to do this)
- Does it seem to only be Exchange based systems that are suffering from a miss-communication?
- Could be, though I doubt, people blocking CACerts for not being secure or verifiable enough.
Just some thoughts anyway.
*: We have access to commercial certificates, kindly donated by Thawte, but since e-mail certs are basically never verified there isn't a lot of point in using those, and the self signed cert I can set like a 10-20 year timeout on and not have to worry about for a while.
Re: Any resolution?
I.E. for e-mail there isn't a lot of point in getting a commercially signed SSL cert. Kernel.org, *FOR E-MAIL* uses a self signed certificate for reference*. The way I fixed the above was to pass the certificate as both the CA and the certificate, or basically that I trust myself from a certificate standpoint.
I haven't tried using CACert certs for mail, but depending on the error it could be (off the top of my head)
- Missconfigured CA / key in postfix
- Can other mail servers, other than exchange communicate with you via ssl? Can you open a connection to the mail server using raw openssl (google for how to do this)
- Does it seem to only be Exchange based systems that are suffering from a miss-communication?
- Could be, though I doubt, people blocking CACerts for not being secure or verifiable enough.
Just some thoughts anyway.
*: We have access to commercial certificates, kindly donated by Thawte, but since e-mail certs are basically never verified there isn't a lot of point in using those, and the self signed cert I can set like a 10-20 year timeout on and not have to worry about for a while.