On Mon, Jan 11, 2010 at 05:49:09PM +0100, Dominique Marant wrote: Hi Dominique, sorry about the cryptic nature of that message. It isn't referring to the connection between the end-user (Thunderbird) and perdition, but rather the connection between perdition and the real-server. To be clear, perdition doesn't request client certificates. The message says that the certificate for the issuer of the server's certificate is not available locally and thus perdition can't verify the server's certificate. There are two options here: 1. Use ssl_no_cert_verify, which tells perdition not to try and verify the certificate's issuer. This is not a great option because it somewhat defeats the purpose of SSL. For example, it allows someone to do a man-in-the middle attack using a different certificate. This may or may not be of concern to you for connections from perdition to a real-server. 2. Give the issuers certificate to perdition. This can be achieved using the ssl_ca_file and/or ssl_ca_path options. On Debian systems a supply of Root CA certificates is provided by the ca-certificates package. For example the following works with my ISP's mail server's certificate. ssl_ca_file /usr/share/ca-certificates/mozilla/Thawte_Premium_Server_CA.crt Be aware that if you use the ssl_ca_path option you will need to run s_rehash . in the directory in order for openssl (and thus perdition) to be able to find certificates in the directory. This is described in minimal detail at the bottom of the SSL_CTX_load_verify_locations manpage.