[pfx] Re: untrusted TLS connections

Sun, 21 Sep 2025 18:07:27 -0700 

On Sun, Sep 21, 2025 at 11:50:03AM -0400, Alex via Postfix-users wrote:

> Hi, Google Postmaster Tools recently started reporting that my TLS
> configuration is not properly set up.

Actually, the converse, the below is *your* Postfix SMTP client that is
telling you that *Google's* configuration may not match your expectations:

> Sep 19 11:26:21 cipher postfix-gmail/smtp[1403397]:
>   Untrusted TLS connection established
>   to gmail-smtp-in.l.google.com[64.233.177.27]:25:
>   TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
>   key-exchange X25519
>   server-signature ECDSA (prime256v1)
>   server-digest SHA256

The basics of the certificate chain I see from that logical cluster (we
likely connected to different datacentres, and the chains could perhaps
be different) are:

    $ posttls-finger -cC -Lsummary "[gmail-smtp-in.l.google.com]" |
        openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
        openssl pkcs7 -print_certs -noout
    subject=CN=mx.google.com
    issuer=C=US, O=Google Trust Services, CN=WR2

    subject=C=US, O=Google Trust Services, CN=WR2
    issuer=C=US, O=Google Trust Services LLC, CN=GTS Root R1

    subject=C=US, O=Google Trust Services LLC, CN=GTS Root R1
    issuer=C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA

> Here is my TLS configuration. I'm using SNI maps to deliver the cert
> depending on one of two domains the user is accessing. The "combined" cert
> below is the cert and key concatenated together.
> 
> smtp_tls_CAfile = /var/www/mail.example.com-443/ssl/DigiCertCA.crt
> smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
> smtp_tls_security_level = may

If that CAfile lists only Digicert trust anchors, then the result is not
surprising, since the certificate chain in question is anchored at the
last issuer show above, which is "GlobalSign Root CA", and not DigiCert.

A quick check of <https://crt.sh/?q=mx.google.com> shows little evidence
of DigiCert involvement in issuing certificates for Google's MX hosts.

-- 
    Viktor.  🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to