Ok thanks. Guess I was looking too much into it. I intentionally raised the debug level to try to find this out. I normally run with it at 1.
Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University -----Original Message----- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Victor Duchovni Sent: Wednesday, April 20, 2011 5:04 AM To: postfix-users@postfix.org Subject: Re: Problem with wildcard certificate On Wed, Apr 20, 2011 at 12:29:27AM +0000, Casartello, Thomas wrote: > Hello there. I recently just placed a new certificate into my postfix > server. It is a wildcard certificate. The server's name is not covered > by the wildcard common name, but it is covered by a subject alternative > name in the cert. I have two versions of the same cert installed, one on > a postfix server, one on a Microsoft Exchange system. I am using another > postfix server to make the test connection. The certs are similar, same > common name. However they have different keys, and the subject alternate > names of the certs are different on the two servers. > > When I connect to the Exchange server using my postfix client server, I see > this: > Apr 19 20:15:08 mx2 postfix/smtp[31124]: setting up TLS connection to > mail.wsc.ma.edu[207.159.171.178]:25 > Apr 19 20:15:08 mx2 postfix/smtp[31124]: mail.wsc.ma.edu[207.159.171.178]:25: > TLS cipher list "ALL:+RC4:@STRENGTH" Your TLS loglevel is set too high, use "1" or "0" for production configurations. > However when I connect to my other postfix server I get this: > > Apr 19 20:19:18 mx2 postfix/smtp[31125]: setting up TLS connection to > mx1.wsc.ma.edu[207.159.171.123]:25 > Apr 19 20:19:18 mx2 postfix/smtp[31125]: Untrusted TLS connection established > to mx1.wsc.ma.edu[207.159.171.123]:25: TLSv1 with cipher ADH-AES256-SHA > (256/256 bits) Since you have not configured certificate verification, Postfix negotiates a certificateless anonymous cipher, when the remote server supports this. > Trying to figure out why I'm getting untrusted when going from postfix > to postfix but not from postfix to Microsoft. The difference I see is > 20:19:18 mx2 postfix/smtp[31125]: SSL_connect:SSLv3 ... You're trying to read low-level debug logs, that are leading you astray. > Any thoughts as to why the different behavior? There is no practical security difference between "trusted" and "untrusted". In both cases the certificate is unverified. http://www.postfix.org/TLS_README.html#client_tls_levels -- Viktor.
