postfix-users May 2014 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: TLS issues (postfix says: UNTRUSTED but it is

Re: TLS issues (postfix says: UNTRUSTED but it is not)

From: Simon Effenberg <savar_at_nospam>
Date: Tue May 13 2014 - 12:04:19 GMT
To: "lists@rhsoft.net" <lists@rhsoft.net>

On Tue, May 13, 2014 at 01:12:07PM +0200, lists@rhsoft.net wrote:
> > I know that untrusted means that the identity has not been verified. But
> > it _should_ (that's why I'm confused). So DANE may be implemented in the
> > future but for now it should work already. So any other ideas?
>
> *who* is complaining?
>
> a) your server about the destination
> b) the destination
>
> in case of b) no way - there is nothing to verify
>
> in case of a) the CA of the the destination is unknown
> below our configuration and the log while deliver to gmail
> /etc/pki/tls/certs/ca-bundle.crt is the recent Fedora CA-bundle
>
> smtp_use_tls = yes
> smtp_tls_fingerprint_digest = sha1
> smtp_tls_loglevel = 1
> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
> smtp_tls_security_level = may
> smtp_tls_note_starttls_offer = yes
>
> Trusted TLS connection established to gmail-smtp-in.l.google.com[74.125.136.26]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

It's case a) .. so my mailserver B is telling me:

May 13 13:58:10 mail postfix/smtp[12904]: Untrusted TLS connection
  established to my.mailserver.de[123.12.12.1]:25: TLSv1.2 with cipher
  AECDH-AES256-SHA (256/256 bits)

And like I said.. it looks well from the openssl command and from
Chromium if I use the certificate inside an Apache2.. but postfix is
complaining and it is not telling me anything special what the issue is.