On Wed, Apr 20, 2011 at 12:29:27AM +0000, Casartello, Thomas wrote:
> Hello there. I recently just placed a new certificate into my postfix
> server. It is a wildcard certificate. The server's name is not covered
> by the wildcard common name, but it is covered by a subject alternative
> name in the cert. I have two versions of the same cert installed, one on
> a postfix server, one on a Microsoft Exchange system. I am using another
> postfix server to make the test connection. The certs are similar, same
> common name. However they have different keys, and the subject alternate
> names of the certs are different on the two servers.
>
> When I connect to the Exchange server using my postfix client server, I see
> this:
> Apr 19 20:15:08 mx2 postfix/smtp[31124]: setting up TLS connection to
> mail.wsc.ma.edu[207.159.171.178]:25
> Apr 19 20:15:08 mx2 postfix/smtp[31124]: mail.wsc.ma.edu[207.159.171.178]:25:
> TLS cipher list "ALL:+RC4:@STRENGTH"
Your TLS loglevel is set too high, use "1" or "0" for production
configurations.
> However when I connect to my other postfix server I get this:
>
> Apr 19 20:19:18 mx2 postfix/smtp[31125]: setting up TLS connection to
> mx1.wsc.ma.edu[207.159.171.123]:25
> Apr 19 20:19:18 mx2 postfix/smtp[31125]: Untrusted TLS connection established
> to mx1.wsc.ma.edu[207.159.171.123]:25: TLSv1 with cipher ADH-AES256-SHA
> (256/256 bits)
Since you have not configured certificate verification, Postfix negotiates
a certificateless anonymous cipher, when the remote server supports this.
> Trying to figure out why I'm getting untrusted when going from postfix
> to postfix but not from postfix to Microsoft. The difference I see is
> 20:19:18 mx2 postfix/smtp[31125]: SSL_connect:SSLv3 ...
You're trying to read low-level debug logs, that are leading you astray.
> Any thoughts as to why the different behavior?
There is no practical security difference between "trusted" and
"untrusted". In both cases the certificate is unverified.
http://www.postfix.org/TLS_README.html#client_tls_levels
--
Viktor.
