Hi Victor think you push my to the right path :-)
On Mon, 2024-12-09 at 22:51 +1100, Viktor Dukhovni via Postfix-users wrote: > On Mon, Dec 09, 2024 at 12:03:02PM +0100, Tobi via Postfix-users > wrote: > > > > Is that preventing mail delivery, or just noise in the logs? > > > > not just noise. It prevents our delivery and finally we bounce back > > to > > sender with "expired" > > SMTP defaults to unauthenticated TLS. What settings, if any, on your > end cause you Postfix to care about the presented certificate > (chain)? > yes we're using "smtp_tls_security_level = dane" and the recipient domain is dnssec secured **but** has not TLSA records so I would assume that postfix does fallback to "may" as described in the manpage: > Otherwise, when no TLSA records are published, the Postfix SMTP client behavior is the same as with may. > > Thanks for the hint with posttls-finger. Using that I can see that > > the > > certificate gets validated properly. > > Chroot issues with trust-anchors? > that is well possible as this postfix runs chrooted. Will check if all necessary files are present. But I still do not get it why postfix should insist on verify the cert if the domain does not use TLSA records at all. > > > openssl verify -show_chain -untrusted <(posttls-finger -cC - > > > lverify > > -Lsummary "leha-ch.mail.protection.outlook.com" 2>/dev/null) > > You're neglecting to call "verify" with an "-untrusted" argument to > augment the chain with required intermediate certificates. Did > someone > improve "verify" at some point to load additional certs from the > provided file. > öhm I did call it with -untrusted, no? ;-) If I leave out -untrusted I get a verification error > > depth=0: C = US, ST = Washington, L = Redmond, O = Microsoft > > Corporation, CN = mail.protection.outlook.com (untrusted) > > depth=1: C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA- > > 1 > > (untrusted) > > depth=2: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = > > DigiCert > > Global Root CA > > > > does this mean that postfix does not use SNI and therefore gets the > > default cert which also openssl confirms that it cannot be > > validated? > > Postfix does not by default use SNI, unless DANE is enabled, but > it does not seem to matter in this case. > Cheers and have a good one tobi _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
