On Wednesday 19 November 2008 16:29:09 Victor Duchovni wrote: > On Wed, Nov 19, 2008 at 07:23:39AM -0600, Noel Jones wrote: > > Mark Watts wrote: > > >I'm in the process of setting up TLS on a number of servers. > > >I have two servers, both running Postfix, one an smtp client and the > > > other an smtpd server, using a self-signed SSL certificate. > > > > > >Sending messages, I get the following in the log on the sender: > > > > > >Nov 19 10:05:01 mailr postfix/smtp[22688]: setting up TLS connection to > > >mail.linux-corner.info > > >Nov 19 16:05:01 mailr postfix/smtp[22688]: TLS connection established to > > >mail.linux-corner.info: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) > > > > When receiving mail, a client certificate is not requested. > > As a result, the connection is considered "Anonymous". > > You can control this with smtpd_tls_ask_ccert, but some mail > > clients have trouble when this is set to "yes", so the > > sensible default is "no". > > http://www.postfix.org/postconf.5.html#smtpd_tls_ask_ccert > > This is wrong. The Postfix server in the above case supports anonymous > ciphers, so a certificate-less cipher (ADH-AES256-SHA) is negotiated. > > > >However, the same server sending to another TLS-enabled server (I > > > believe its qmail), I get this: > > > > > >Nov 19 10:09:09 mailr postfix/smtp[25134]: setting up TLS connection to > > >burn.qinetiq.com > > >Nov 19 10:09:09 mailr postfix/smtp[25134]: certificate verification > > > failed for burn.qinetiq.com: num=18:self signed certificate > > >Nov 19 10:09:09 mailr postfix/smtp[25134]: Unverified: > > >subject_CN=burn.qinetiq.com, issuer=burn.qinetiq.com > > >Nov 19 10:09:09 mailr postfix/smtp[25113]: TLS connection established to > > >burn.qinetiq.com: TLSv1 with cipher AES256-SHA (256/256 bits) > > > > When sending mail, the server certificate is always received > > and verified. There are various smtp_tls_* options that allow > > you to control what happens next; the sensible default > > behavior is to ignore verification errors and continue. > > http://www.postfix.org/TLS_README.html > > This has nothing to do with client certs, the server does not support > anon ciphers, so AES256-SHA is used, which uses RSA certs, and the > warning is issued.
I did wonder what the difference between ADH-AES256-SHA and AES256-SHA was. Both still result in an encrypted connection though, right? Mark. -- Mark Watts BSc RHCE MBCS Senior Systems Engineer QinetiQ Applied Technologies GPG Key: http://www.linux-corner.info/mwatts.gpg
signature.asc
Description: This is a digitally signed message part.
