On Wed, Jan 11, 2012 at 04:15:17PM +0100, Stefan wrote:
> I've set up clientside TLS with postfix 2.7.1 as follows:
>
> smtp_tls_CApath = /etc/ssl/certs
> smtp_tls_loglevel = 1
> smtp_tls_security_level = may
For all destinations, except any listed in policy_maps at a security
level of "verify", "fingerprint" or "secure", you don't care about
the certificate of the server, and Postfix 2.9 will not waste your
time with warnings about trust chain verification failures.
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
>
> /etc/postfix/tls_policy:
> <empty>
You can save some CPU, I/O and RAM by not setting a policy table
at all, if the table is always going to remain empty.
> When sending a message (sendmail u...@mydomain.com) I get these loglines:
>
> postfix/smtp[7537]: setting up TLS connection to
> mail.example.com[aaa.bbb.ccc.ddd]:25
> postfix/smtp[7537]: Untrusted TLS connection established to
> mail.example.com[aaa.bbb.ccc.ddd]:25: TLSv1 with cipher ADH-CAMELLIA256-SHA
> (256/256 bits)
This is of no consequence. The connection did not negotiate any certs, so
so no trust information is available.
> /etc/postfix/tls_policy:
> [mail.example.com] verify
>
> I get the following:
>
> postfix/smtp[7567]: setting up TLS connection to
> mail.example.com[aaa.bbb.ccc.ddd]:25
> postfix/smtp[7567]: Verified TLS connection established to
> mail.example.com[aaa.bbb.ccc.ddd]:25: TLSv1 with cipher
> DHE-RSA-CAMELLIA256-SHA (256/256 bits)
Now certificates were obtained and verified.
> And now the TLS connection is trusted and verified. Why isn't it verfied with
> 'smtp_tls_security_level = may'?
Because the verification with "may" is futile, you'll deliver even if it failed,
and even over a plaintext connection, so no verification takes place and no
certs are exchanged, saving CPU and bandwidth.
--
Viktor.
