I have Qpopper 4.05 set with TLS/SSL on a Solaris 2.6 system and
certificates obtained from Thawte (the SSL123 type of cert if it
matters). It works in conjunction with Eudora 6.1 from my Macintosh,
but so far I've been unable to make it work with any other mail
client, Mac or Windows based - all of them complain in various ways
about the root certificate. For instance, Mail.app returns

Unable to verify SSL server xxx.myhost.com

Mail was unable to verify the identity of this server, which has a
certificate issued to "xxx.myhost.com". The error was:

There is no root certificate for this server.

followed by a dire warning that I might be connecting to a system that
is pretending to be "xxx.myhost.com". If I tell Mail to ignore this
and continue, it'll download any available mail and not complain for
the rest of the session. Once I quit Mail and restart it, though, it
complains all over again. Other mail clients follow similar patterns,
or flat out refuse to download anything.

My config stuff contains:

set tls-support = alternate-port
set tls-server-cert-file = /etc/mail/certs/cert.pem

and the cert.pem file contains both the server cert and the signed cert.

Any help will be greatly appreciated.

I have Qpopper 4.05 set with TLS/SSL on a Solaris 2.6 system and
certificates obtained from Thawte (the SSL123 type of cert if it
matters). It works in conjunction with Eudora 6.1 from my Macintosh,
but so far I've been unable to make it work with any other mail
client, Mac or Windows based - all of them complain in various ways
about the root certificate. For instance, Mail.app returns

Unable to verify SSL server xxx.myhost.com

Mail was unable to verify the identity of this server, which has a
certificate issued to "xxx.myhost.com". The error was:

There is no root certificate for this server.

followed by a dire warning that I might be connecting to a system that
is pretending to be "xxx.myhost.com". If I tell Mail to ignore this
and continue, it'll download any available mail and not complain for
the rest of the session. Once I quit Mail and restart it, though, it
complains all over again. Other mail clients follow similar patterns,
or flat out refuse to download anything.

My config stuff contains:

set tls-support = alternate-port
set tls-server-cert-file = /etc/mail/certs/cert.pem

and the cert.pem file contains both the server cert and the signed cert.

Any help will be greatly appreciated.

Sorry about the repeated mails on that - Gmail hiccuped bad.

Anyway, I'm posting to report that I found my own solution to the
problem - I hacked the Qpopper source to use the OpenSSL function
SSL_CTX_use_certificate_chain_file() instead of
SSL_CTX_use_certificate_file(). I was then able to concatenate the
intermediate certificate from Thawte to my tls-server-cert-file Now
all the clients I have access to can download mail without complaining
about missing root certs.
diff:

*** pop_tls_openssl.c
364,365c364,366
< nErr = SSL_CTX_use_certificate_chain_file ( pTLS->m_OpenSSLctx,
< pPOP->tls_server_cert_file) ;
---
This is incomplete in that I didn't bother trying to determine if
something similar is needed for SSLPlus builds, and haven't checked to
see if this change will work with certs that don't require an
intermediate certificate. It's a "works for me" kinda deal - I hope
it helps someone else in the future.