On Tue, Mar 26, 2013 at 09:44:12AM +0100, Marko Weber | ZBF wrote:
> Mar 22 10:34:52 mail postfix/smtp[13970]:
> smtp2.db.com[160.83.77.178]:25: Matched subjectAltName:
> nyginsmp02.us.db.com
> Mar 22 10:34:52 mail postfix/smtp[13970]:
> smtp2.db.com[160.83.77.178]:25 CommonName nyginsmp02.us.db.com
Your smtp_tls_loglevel is set too high, 2 is only for debugging,
use 1 for routine logging.
> but on incoming mails i see this:
>
> Mar 25 14:04:35 mail postfix/smtpd[31103]: setting up TLS connection
> from loninmrp15.uk.db.com[160.83.44.131]
> Mar 25 14:04:35 mail postfix/smtpd[31103]:
> loninmrp15.uk.db.com[160.83.44.131]: TLS cipher list
> "aNULL:-aNULL:ALL:+RC4:@STRENGTH:!aNULL"
> Mar 25 14:04:35 mail postfix/smtpd[31103]:
> loninmrp15.uk.db.com[160.83.44.131]: certificate verification
> depth=3 verify=0 subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public
> Primary Certification Authority
Your smtpd_tls_loglevel is set too high, 2 is only for debugging,
use 1 for routine logging.
You may not have specified the associated CAs in "smtpd_tls_CApath"
or "smtpd_tls_CAfile" (don't put too much here, use CApath if you
must). However, see below, generally you should not be requesting
client certs at all.
> Mar 25 14:04:35 mail postfix/smtpd[31103]: Untrusted TLS connection
> established from loninmrp15.uk.db.com[160.83.44.131]: TLSv1 with
> cipher DHE-RSA-AES256-SHA (256/256 bits)
This is normal. I would have expected this to say "Anonymous"
rather than "Untrusted". Your smtpd(8) is configured to request
client certificates, why? Generally, you should not request client
certs in SMTP except perhaps on "submission" servers.
--
Viktor.
