Hello,
I'm lost and don't find any solution anymore, so I now need to ask.
I'm running three mail-servers with Postfix 2.9.6 (valid TLS cert), 2.7.2
(self-signed), 2.11.0 (self-signed).
And whatever I do I'm unable to get any of these three to show a trusted
connection to any of the others. It trusts Google and GMX and whatever,
but not my own servers. That's disturbing.
Here the configs I use essentially
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_cert_file = ...cert file include cert and all related ca's...
smtpd_tls_key_file = ...key...
smtpd_tls_CApath = /etc/ssl/certs/
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtpd_tls_CApath = /etc/ssl/certs/
The certificates are installed and
openssl s_client -debug -connect ...server...:25 -starttls smtp
also says that certificate chain is complete and valid. But Postfix tells
me "Untrusted" when sending a mail to one of the others. Always. It's
disturbing.
Using a higher loglevel for TLS it seems that the other servers like
Google send the certificates in initial connection of TLS, but my Postfix
instances don't do this. And due to "may" Postfix sender seems not to ask.
But even if it is not necessary to have a valid certificate installed for
sending, I at least want to have the status correct in the logfile, so I
can see a MITM attack in the log afterwards.
Any ideas what's wrong with my setup or how I can bring Postfix to log the
correct trust status even if "may" is used?
Two of the servers are the one for this mail: mail.stoecker.eu and another
one with a valid cert: josm.openstreetmap.de in case it helps to have a
look.
Ciao
--
http://www.dstoecker.eu/ (PGP key available)
