On Wed, Nov 19, 2008 at 12:50:40PM -0600, Larry Stone wrote:
> On Wed, 19 Nov 2008, Mark Watts wrote:
>
> >The server I'm in control of is signed by a CA. (This server does not give
> >any
> >verification failure messages)
> >I don't know about the other server.
>
> I'm getting confused as to which server is which but I'm sensing that you
> think self-signed means automatically untrusted. While I don't claim to be
> any sort of certificate expert, [...]
The OP's question has been resolved. When connecting to Postfix server,
the client negotiates a certificate-less cipher-suite (ADH-AES256-SHA):
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
as there is no server certificate, there are no warnings about an untrusted
server certificate. When connecting to the Qmail server, which does not
support ADH (aka aNULL) ciphers, the client negotiates AES256-SHA:
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
(which doe not even do ephemeral DH key exchange, so perhaps Qmail
is not configured with DH parameters, or has a non-default SSL
cipherlist). With this cipher-suite there is a certificate, and Postfix
logs the verification failure.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[EMAIL PROTECTED]>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
