On Thu, Sep 16, 2010 at 01:45:10PM -0500, Vernon A. Fort wrote:
> TLS related messages in the maillog
>
> Sep 16 14:25:54 ns postout/smtp[27828]: Trusted TLS connection
> established to chanet.org.2.0001.arsmtp.com[204.232.236.213]:25: TLSv1
> with cipher DES-CBC3-SHA (168/168 bits)
Their certificate is signed by a root CA you trust, but you are using
opportunistic TLS, so no further verification took place.
> Sep 16 14:25:55 ns postout/smtp[28259]: Untrusted TLS connection
> established to pluto.VerizonWireless.com[162.115.227.108]:25: TLSv1 with
> cipher ADH-CAMELLIA256-SHA (256/256 bits)
Their certificate is not signed by a root CA you trust.
> Sep 16 14:26:10 ns postfix/smtpd[27638]: Anonymous TLS connection
> established from mail.bcbsal.org[216.104.80.8]: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits)
This (likely Postfix) site negotiated a certificate-less cipher with
you, since you don't intend to verify the peer-name.
> The "Untrusted", i assume,refers to a host name mismatch or unverified
> CA root.
Just the CA root.
> But what's the difference/meaning of "Trusted" and "Anonymous"?
Anonymous DH ciphers don't use CA certs. The conversation is encrypted,
but unathenticated. Of course "Trusted" is also encrypted and not
authenticated, but a certificate is sent and mostly ignored. What you
learn is that if you wanted to, you could use a "secure" policy with
a suitable set of "match" patterns.
--
Viktor.
