TLS Question, untrusted connection

[Marko Weber | ZBF]

i sometimes mail with the deutschebank.
when i send mails i use a tls_policy_map:
db.com  secure  
match=loninmrp23.uk.db.com:nyjinsmp07.us.db.com:loninmrp22.uk.db.com:loninmrp14.uk.db.com:nyginsmp02.us.db.com:nyjinsmp01.us.db.com
.db.com  secure  
match=loninmrp23.uk.db.com:nyjinsmp07.us.db.com:loninmrp22.uk.db.com:loninmrp14.uk.db.com:nyginsmp02.us.db.com:nyjinsmp01.us.db.com

when mails go out i see in the logs:

ar 22 10:34:51 mail postfix/smtp[13970]: setting up TLS connection to 
smtp2.db.com[160.83.77.178]:25

...
....
...
Mar 22 10:34:52 mail postfix/smtp[13970]: 
smtp2.db.com[160.83.77.178]:25: Matched subjectAltName: 
nyginsmp02.us.db.com
Mar 22 10:34:52 mail postfix/smtp[13970]: 
smtp2.db.com[160.83.77.178]:25 CommonName nyginsmp02.us.db.com
...
...
Mar 22 10:34:52 mail postfix/smtp[13970]: Verified TLS connection 
established to smtp2.db.com[160.83.77.178]:25: TLSv1 with cipher 
DHE-RSA-AES256-SHA (256/256 bits)



but on incoming mails i see this:


Mar 25 14:04:35 mail postfix/smtpd[31103]: connect from 
loninmrp15.uk.db.com[160.83.44.131]
Mar 25 14:04:35 mail postfix/smtpd[31103]: setting up TLS connection 
from loninmrp15.uk.db.com[160.83.44.131]
Mar 25 14:04:35 mail postfix/smtpd[31103]: 
loninmrp15.uk.db.com[160.83.44.131]: TLS cipher list 
"aNULL:-aNULL:ALL:+RC4:@STRENGTH:!aNULL"
Mar 25 14:04:35 mail postfix/smtpd[31103]: 
loninmrp15.uk.db.com[160.83.44.131]: certificate verification depth=3 
verify=0 subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary 
Certification Authority
Mar 25 14:04:35 mail postfix/smtpd[31103]: 
loninmrp15.uk.db.com[160.83.44.131]: certificate verification depth=3 
verify=1 subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary 
Certification Authority
Mar 25 14:04:35 mail postfix/smtpd[31103]: 
loninmrp15.uk.db.com[160.83.44.131]: certificate verification depth=2 
verify=1 subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 
2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public 
Primary Certification Authority - G5
Mar 25 14:04:35 mail postfix/smtpd[31103]: 
loninmrp15.uk.db.com[160.83.44.131]: certificate verification depth=1 
verify=1 subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust 
Network/OU=Terms of use at https://www.verisign.com/rpa 
(c)10/CN=VeriSign Class 3 Secure Server CA - G3
Mar 25 14:04:35 mail postfix/smtpd[31103]: 
loninmrp15.uk.db.com[160.83.44.131]: certificate verification depth=0 
verify=1 subject=/C=DE/ST=Hessen/L=Frankfurt am Main/O=Deutsche Bank 
AG/CN=loninmrp15.uk.db.com
Mar 25 14:04:35 mail postfix/smtpd[31103]: 
loninmrp15.uk.db.com[160.83.44.131]: save session 
E9866FDA3C93B4845E9F5FC28DBF7942FD8BCEB4075DD15980CB6F956D92DD09&s=smtpd&l=268439615 
to smtpd cache
Mar 25 14:04:35 mail postfix/smtpd[31103]: 
subject=/C=DE/ST=Hessen/L=Frankfurt am Main/O=Deutsche Bank 
AG/CN=loninmrp15.uk.db.com
Mar 25 14:04:35 mail postfix/smtpd[31103]: 
loninmrp15.uk.db.com[160.83.44.131]: subject_CN=loninmrp15.uk.db.com, 
issuer=VeriSign Class 3 Secure Server CA - G3, 
fingerprint=66:16:32:32:EC:74:FC:2B:52:57:08:03:1B:C9:1F:70:0F:F4:22:AB, 
pkey_fingerprint=CF:4B:F1:C2:F9:DA:1E:28:40:52:01:33:48:32:4D:4C:5C:CF:E4:D3

Mar 25 14:04:35 mail postfix/smtpd[31103]: Untrusted TLS connection 
established from loninmrp15.uk.db.com[160.83.44.131]: TLSv1 with cipher 
DHE-RSA-AES256-SHA (256/256 bits)

why is on incoming mails the TLS connection untrusted?

anyone can help / explain me?

thank you,, from sunny but cold and windy hamburg (germany)

marko