Bill Cole via Postfix-users:
> On 2025-09-21 at 11:50:03 UTC-0400 (Sun, 21 Sep 2025 11:50:03 -0400)
> Alex via Postfix-users <mysqlstud...@gmail.com>
> is rumored to have said:
>
> > Hi, Google Postmaster Tools recently started reporting that my TLS
> > configuration is not properly set up. I don't think anything has
> > changed,
> > but perhaps it was never set up right.
>
> I cannot speak to that, because I don't know what their standards are...
>
> > Here's what I'm seeing in the logs.
> >
> > Sep 19 11:26:21 cipher postfix-gmail/smtp[1403397]: Untrusted TLS
> > connection established to
> > gmail-smtp-in.l.google.com[64.233.177.27]:25:
> > TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange
> > X25519 server-signature ECDSA (prime256v1) server-digest SHA256
>
> That is a smtp *client* connection *sending* email. It is "Untrusted"
> because the server cert doesn't verify using your configured trust
> settings. That's fairly normal for an SMTP client.
...
> > smtp_tls_security_level = may
At this security level, Postfix does not try to verify server
certificates because it hasn't been told what certificate names (or
fingerprints) to expect (the name of the recipient domain? The
domain of the MX host? SMTP is not like HTTPS).
Some domains publish a server certificate matching policy in DNS;
you can use that information with 'smtp_tls_security_level = dane'
or with a dane+sts policy plugin. The latter covers both DANE ands
STS policies.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
