On Tue, Feb 11, 2014 at 10:14:10PM +0100, li...@rhsoft.net wrote:
> > So, i had to enable client side TLS and disabling NTLM. It says untrusted
> > connection in the logs, and i tried modifying the mynetworks variable below
> > but couldn't fix it. It may be untrusted because of the invalid exchange
> > certificate
>
> it says untrusted because the certificate on the remote side is
> not from a trusted CA or postfix does not know the CA
Which is just fine in the majority of cases.
> and that is why i have
> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
Too many CAs to claim meanigful trust, too few CAs to authenticate
everyone. In particular, for the OP the Exchange server's certificate
is internally provisioned, and the CA in question is not in the
browser ca bundle.
The OP may choose the specify the actualy issue for his server cert
in CAfile, and to use the policy table or a dedicated transport to
make TLS mandatory (perhaps smtp_tls_security_level = "secure")
for the destination in question.
--
Viktor.
