On Wed, Nov 19, 2008 at 07:23:39AM -0600, Noel Jones wrote: > Mark Watts wrote: > >I'm in the process of setting up TLS on a number of servers. > >I have two servers, both running Postfix, one an smtp client and the other > >an smtpd server, using a self-signed SSL certificate. > > > >Sending messages, I get the following in the log on the sender: > > > >Nov 19 10:05:01 mailr postfix/smtp[22688]: setting up TLS connection to > >mail.linux-corner.info > >Nov 19 16:05:01 mailr postfix/smtp[22688]: TLS connection established to > >mail.linux-corner.info: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) > > > > When receiving mail, a client certificate is not requested. > As a result, the connection is considered "Anonymous". > You can control this with smtpd_tls_ask_ccert, but some mail > clients have trouble when this is set to "yes", so the > sensible default is "no". > http://www.postfix.org/postconf.5.html#smtpd_tls_ask_ccert
This is wrong. The Postfix server in the above case supports anonymous ciphers, so a certificate-less cipher (ADH-AES256-SHA) is negotiated. > >However, the same server sending to another TLS-enabled server (I believe > >its qmail), I get this: > > > >Nov 19 10:09:09 mailr postfix/smtp[25134]: setting up TLS connection to > >burn.qinetiq.com > >Nov 19 10:09:09 mailr postfix/smtp[25134]: certificate verification failed > >for burn.qinetiq.com: num=18:self signed certificate > >Nov 19 10:09:09 mailr postfix/smtp[25134]: Unverified: > >subject_CN=burn.qinetiq.com, issuer=burn.qinetiq.com > >Nov 19 10:09:09 mailr postfix/smtp[25113]: TLS connection established to > >burn.qinetiq.com: TLSv1 with cipher AES256-SHA (256/256 bits) > > > > When sending mail, the server certificate is always received > and verified. There are various smtp_tls_* options that allow > you to control what happens next; the sensible default > behavior is to ignore verification errors and continue. > http://www.postfix.org/TLS_README.html This has nothing to do with client certs, the server does not support anon ciphers, so AES256-SHA is used, which uses RSA certs, and the warning is issued. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:[EMAIL PROTECTED]> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
