On Thu, 2010-09-16 at 15:14 -0400, Victor Duchovni wrote: > On Thu, Sep 16, 2010 at 01:45:10PM -0500, Vernon A. Fort wrote: > > > TLS related messages in the maillog > > > > Sep 16 14:25:54 ns postout/smtp[27828]: Trusted TLS connection > > established to chanet.org.2.0001.arsmtp.com[204.232.236.213]:25: TLSv1 > > with cipher DES-CBC3-SHA (168/168 bits) > > Their certificate is signed by a root CA you trust, but you are using > opportunistic TLS, so no further verification took place. > > > Sep 16 14:25:55 ns postout/smtp[28259]: Untrusted TLS connection > > established to pluto.VerizonWireless.com[162.115.227.108]:25: TLSv1 with > > cipher ADH-CAMELLIA256-SHA (256/256 bits) > > Their certificate is not signed by a root CA you trust. > > > Sep 16 14:26:10 ns postfix/smtpd[27638]: Anonymous TLS connection > > established from mail.bcbsal.org[216.104.80.8]: TLSv1 with cipher > > DHE-RSA-AES256-SHA (256/256 bits) > > This (likely Postfix) site negotiated a certificate-less cipher with > you, since you don't intend to verify the peer-name. > > > The "Untrusted", i assume,refers to a host name mismatch or unverified > > CA root. > > Just the CA root. > > > But what's the difference/meaning of "Trusted" and "Anonymous"? > > Anonymous DH ciphers don't use CA certs. The conversation is encrypted, > but unathenticated. Of course "Trusted" is also encrypted and not > authenticated, but a certificate is sent and mostly ignored. What you > learn is that if you wanted to, you could use a "secure" policy with > a suitable set of "match" patterns.
Ok - so the Trusted/Untrusted/Anonymous 'connections' are for the CA root - understood. By the way - did the TLS_README patch you posted (http://www.mail-archive.com/postfix-users@postfix.org/msg15394.html) every make it into the TLS_README file. I'm running the 2.8-20100913 version (will upgrade to 916) but this patch/info in NOT in the TLS_README. Most of what i read (so far) insists that you stay away from the "secure" policies, assuming your referring to the smtp[d]_tls_security_level. Granted, i have much more to read/digest. At this point - I've configured postfix to offer clients to encrypt if that want and ask if to encrypt on outbound. I do have the smtpd_tls_ask_ccert enabled, thinking it would help with the verification. Solely for log reviews at this point. The main reason for most of my questions (related to TLS) is i am working with a Large Insurance company to ease communications between my client and them - so they could (both sides) bypass the mail encryption via a secure website. Their policy is to set my clients (them to us) to TLS but no verification. I found this very odd, especially when you consider the HIPPA regulations. My goal is to discover the limitations with email encryption using TLS (server to server). Of course this is from a USAGE perspective - how far/much can we trust the connection. Once the email is out - its gone. Vernon
