On 05.03.2012 19:39, Wietse Venema wrote:
>> 366AE26E2B: to=<t...@test1.prv>, relay=s2.mydomain.de[192.168.1.1]:25,
>> ..., dsn=4.7.5, status=deferred (Server certificate not verified)
>> ==================================================================
>>
>> So my understanding of the difference between "verify" and "secure"
>> seems to be wrong. Could someone please explain this?
> Both "verify" and "secure" fail when the certificate signature can't
> be verified.
Sorry, I'm still lost:
/etc/postfix/transport:
test1.prv smtp:[s2.mydomain.de]
/etc/postfix/tls_policy:
[s2.mydomain.de] verify
==================================================================
s2.mydomain.de[192.168.1.1]:25: Trusted subject_CN=s1.mydomain.de,
issuer_CN=Thawte DV SSL CA
Trusted TLS connection established to s2.mydomain.de[192.168.1.1]:25:
TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA
6F68526E2E: to=<te...@test1.prv>, relay=s2.mydomain.de[170.1.1.1]:25,
..., dsn=4.7.5, status=deferred (Server certificate not verified)
==================================================================
And now:
/etc/postfix/tls_policy:
[s2.mydomain.de] verify match=s1.mydomain.de
(nothing changed on the server side)
==================================================================
s2.mydomain.de[192.168.1.1]:25: Matched subject_CN=s1.mydomain.de,
issuer_CN=Thawte DV SSL CA
Verified TLS connection established to s2.mydomain.de[192.168.1.1]:25:
TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA
6F68526E2E: to=<te...@test1.prv>, relay=s2.mydomain.de[170.1.1.1]:25,
..., dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5CF654330)
==================================================================
So: it looks to me like I got a server certificate which can be
verified. It's just that its CN does not match the server name, but that
should be ok when using "verify" (and not when using "secure"). Instead,
"verify" and "secure" are behaving in the same way: they only work when
the "match" clause is configured.
Regards,
Robert
