On Mon, Dec 09, 2024 at 12:03:02PM +0100, Tobi via Postfix-users wrote:
> > Is that preventing mail delivery, or just noise in the logs?
>
> not just noise. It prevents our delivery and finally we bounce back to
> sender with "expired"
SMTP defaults to unauthenticated TLS. What settings, if any, on your
end cause you Postfix to care about the presented certificate (chain)?
> Thanks for the hint with posttls-finger. Using that I can see that the
> certificate gets validated properly.
Chroot issues with trust-anchors?
> > openssl verify -show_chain -untrusted <(posttls-finger -cC -lverify
> -Lsummary "leha-ch.mail.protection.outlook.com" 2>/dev/null)
You're neglecting to call "verify" with an "-untrusted" argument to
augment the chain with required intermediate certificates. Did someone
improve "verify" at some point to load additional certs from the
provided file.
> depth=0: C = US, ST = Washington, L = Redmond, O = Microsoft
> Corporation, CN = mail.protection.outlook.com (untrusted)
> depth=1: C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
> (untrusted)
> depth=2: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> Global Root CA
>
> does this mean that postfix does not use SNI and therefore gets the
> default cert which also openssl confirms that it cannot be validated?
Postfix does not by default use SNI, unless DANE is enabled, but
it does not seem to matter in this case.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
