On Wednesday 19 November 2008 13:23:39 Noel Jones wrote: > Mark Watts wrote: > > I'm in the process of setting up TLS on a number of servers. > > I have two servers, both running Postfix, one an smtp client and the > > other an smtpd server, using a self-signed SSL certificate. > > > > Sending messages, I get the following in the log on the sender: > > > > Nov 19 10:05:01 mailr postfix/smtp[22688]: setting up TLS connection to > > mail.linux-corner.info Nov 19 16:05:01 mailr postfix/smtp[22688]: TLS > > connection established to mail.linux-corner.info: TLSv1 with cipher > > ADH-AES256-SHA (256/256 bits) > > When receiving mail, a client certificate is not requested. > As a result, the connection is considered "Anonymous". > You can control this with smtpd_tls_ask_ccert, but some mail > clients have trouble when this is set to "yes", so the > sensible default is "no". > http://www.postfix.org/postconf.5.html#smtpd_tls_ask_ccert > > > However, the same server sending to another TLS-enabled server (I believe > > its qmail), I get this: > > > > Nov 19 10:09:09 mailr postfix/smtp[25134]: setting up TLS connection to > > burn.qinetiq.com Nov 19 10:09:09 mailr postfix/smtp[25134]: certificate > > verification failed for burn.qinetiq.com: num=18:self signed certificate > > Nov 19 10:09:09 mailr postfix/smtp[25134]: Unverified: > > subject_CN=burn.qinetiq.com, issuer=burn.qinetiq.com Nov 19 10:09:09 > > mailr postfix/smtp[25113]: TLS connection established to > > burn.qinetiq.com: TLSv1 with cipher AES256-SHA (256/256 bits) > > When sending mail, the server certificate is always received > and verified. There are various smtp_tls_* options that allow > you to control what happens next; the sensible default > behavior is to ignore verification errors and continue. > http://www.postfix.org/TLS_README.html > > > Why do I not get any verification messages from the remote postfix > > server, yet I do with the remote (qmail) one, when both are usiong > > self-signed certificates? > > > > Mark. > > Virtually all MTA to MTA smtp tls is opportunistic encryption > - it's nice but not required. In this context, it doesn't > matter if the certificate is verified since you are willing to > accept unencrypted connections from the same client. > > If you're establishing a secure channel between sites with > encryption and verification required, there are options > discussed in the TLS_README to allow this.
OK, I understand this, but in my example both connections were from the same server to remote servers with self-signed certificates. I would have expected to see the same verification (failures in this case) log entries for both connections, but I don't. Mark. -- Mark Watts BSc RHCE MBCS Senior Systems Engineer QinetiQ Applied Technologies GPG Key: http://www.linux-corner.info/mwatts.gpg
signature.asc
Description: This is a digitally signed message part.
