On Wednesday 19 November 2008 14:00:29 Wietse Venema wrote: > Mark Watts: > > I think my original question still stands; why do connections to > > one server not generate verification messages, while connections > > to a third server do. Both remote servers have self-signed ssl > > certificates. > > Presumably, those certificates are signed with different keys. I > run tests with self-signed certificates and never see complaints, > because the clients know the signing key.
The client (the sending postfix server) in this case does not know about *any* signing keys used by the remote servers for their ssl certificates. My understanding is that the verification failure messages are akin to those you would see browsing to an HTTPS:// website using a self-signed certificate? If so, I know for a fact that the remote server which does not generate verification messages is using a self-signed certificate, because I created it (and the self-signed CA to go with it). Now is this the issue; that if the server certificate is signed by a CA (regardless of whether that CA is itself self-signed or not), it does not trigger verification failure messages? Mark. -- Mark Watts BSc RHCE MBCS Senior Systems Engineer QinetiQ Applied Technologies GPG Key: http://www.linux-corner.info/mwatts.gpg
signature.asc
Description: This is a digitally signed message part.
