Your test is wrong. You have not given openssl
any trusted CAs.
Your CApath
may vary, but you'll need to issue something like this:
openssl s_client -showcerts -connect smtp.domain.tld:465 -CApath /etc/ssl/certs
Edit:
I gather from your comment that you don't get it, so let's try this again without even bothering with smtp shall we? This will ensure that your mailserver at least trusts itself.
openssl verify -CAfile /etc/postfix/ssl/combo.csr.key /etc/postfix/ssl/smtp.server.com.PUBLIC.key
Also, because you don't redact well, I can tell you that your servers certs are fine as far as TLS is concered.
$ openssl s_client -connect smtp.pplsnet.com:465 -CApath /etc/ssl/certs/
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = MVOZF4NDnc-opzbqaWlvgmGVoNEC8Zrv, OU = GT40129440, OU = See www.rapidssl.com/resources/cps (c)12, OU = Domain Control Validated - RapidSSL(R), CN = smtp.pplsnet.com
verify return:1
---
Certificate chain
0 s:/serialNumber=MVOZF4NDnc-opzbqaWlvgmGVoNEC8Zrv/OU=GT40129440/OU=See www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=smtp.pplsnet.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgIDCBhiMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTIwOTA0MDQ0NTQ3WhcNMTMwODI2MDQwMTA1WjCBvzEpMCcGA1UEBRMgTVZP
WkY0TkRuYy1vcHpicWFXbHZnbUdWb05FQzhacnYxEzARBgNVBAsTCkdUNDAxMjk0
NDAxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTIxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMRkwFwYDVQQDExBzbXRwLnBwbHNuZXQuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAuuC6WaNTpjs0iHxJ8sx9pdVd6MGaMs7WV8OXQrre
iiioGj/SrVEgnfT9j0OOZSIaFPrFySR029cbv2LUyXJoYrQXqHjqwpqoX4VFsBeq
3wDYi2jvxIge8a8RZPaHM7lUwrvPzGEraatu6z4KiVVu5jvzYsZYroaMifCh9GPw
mP2vrkzv4kkSOwwpKpVxhguIzR68RHOW2gT5aHBZr+JLUR3CJ78n0PIaUy0DrvMB
UTKYEwelwjcRA7PsEj42nGjNGAbQS6jLdkHwciKYZwNs9V2UHzk+avBmpuZHpdtk
3ErH/QnZkZflDSP+i2Xdlt56jVPJz2Fu2Kij9b6GuK+PawIDAQABo4IBqzCCAacw
HwYDVR0jBBgwFoAUa2k9ahhCSt2PAmU5/TUkhniRFjAwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHREEFDASghBzbXRw
LnBwbHNuZXQuY29tMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9yYXBpZHNzbC1j
cmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRzc2wuY3JsMB0GA1UdDgQWBBRJ9LK+
luuNvnbqNYriz/oZLWfuojAMBgNVHRMBAf8EAjAAMHgGCCsGAQUFBwEBBGwwajAt
BggrBgEFBQcwAYYhaHR0cDovL3JhcGlkc3NsLW9jc3AuZ2VvdHJ1c3QuY29tMDkG
CCsGAQUFBzAChi1odHRwOi8vcmFwaWRzc2wtYWlhLmdlb3RydXN0LmNvbS9yYXBp
ZHNzbC5jcnQwTAYDVR0gBEUwQzBBBgpghkgBhvhFAQc2MDMwMQYIKwYBBQUHAgEW
JWh0dHA6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNlcy9jcHMwDQYJKoZIhvcN
AQEFBQADggEBAHj6Yb4MbdFIjQe47EGXdfv4GMp/Ioq0/xdwVByMsDCOGmjz5ky3
LWfiZy4FLc8dvthw98xVRMDH1SoKKVjTWOc2amp9IlHcKhODiqQuQhMD2EvFR1gX
y/jGn665OgGJVpRAJWRPgXyhhySTGQLFcLlKTe1hYLFVwCmfnXM9n8M/Xkg2EyJ3
79p4n5+TIWYMC4HqggUiLfj56+QZFTEoJh06tObJhE7LauEpqfHO8iA7Tv/9+RF3
K/SBv0WgUhk70b0ZFpqXBR9f7ghLv0YObEj7qtTOgsZvcnil/2XIjAnPZQdITxfL
T9xEmirxPHk5gnbzN83fxbeGAnVv4YQsV8I=
-----END CERTIFICATE-----
subject=/serialNumber=MVOZF4NDnc-opzbqaWlvgmGVoNEC8Zrv/OU=GT40129440/OU=See www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=smtp.pplsnet.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4879 bytes and written 409 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 02AC15DBA8798D4D93453CA5A3E4E5AB00EDBF94DD3A438E55E8C5BAECC5C4CE
Session-ID-ctx:
Master-Key: 1CB30B2974C794CDF8608F1D2819FBFA9C7DC6A4BE4F9F69B6369A5F05DDBB21F1830D952B7D72C6E747A764DBB1D2FE
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 98 6f 77 64 69 04 ed 23-98 96 7a 10 38 45 1c 90 .owdi..#..z.8E..
0010 - 4a 37 c2 5c 9c 43 06 9d-d7 69 65 b1 07 d2 27 40 J7.\.C...ie...'@
0020 - 34 81 91 46 ce 0d d1 02-b0 e2 95 79 85 39 42 f8 4..F.......y.9B.
0030 - b5 e9 ac a0 fa d9 bf d0-25 0d f4 71 f5 1e ff 42 ........%..q...B
0040 - 44 1b 6f d0 87 27 46 78-05 ce ce 4d 4b 59 88 d9 D.o..'Fx...MKY..
0050 - e1 42 b2 43 40 2c 22 7b-ca 72 86 d1 e8 bd dd 3d .B.C@,"{.r.....=
0060 - e3 5b 8b fa a9 54 47 8c-91 e2 96 e6 a1 6b 17 ea .[...TG......k..
0070 - a1 1b fc 9f 49 8f 11 e8-fa b2 59 d6 2a 77 66 5b ....I.....Y.*wf[
0080 - 88 25 d7 12 e6 08 7d 64-d4 4d 60 cc ea f3 f9 d2 .%....}d.M`.....
0090 - 12 c6 b8 95 b0 66 21 e3-2d d2 2f e9 f1 96 cc 35 .....f!.-./....5
00a0 - a6 3a 7c 2f 8f 71 24 91-30 b5 fc 2f d0 e6 a1 f4 .:|/.q$.0../....
Compression: 1 (zlib compression)
Start Time: 1347395676
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
220 smtp.pplsnet.com
quit
221 2.0.0 Bye
closed