Am 13.05.2014 13:06, schrieb Simon Effenberg: > On Tue, May 13, 2014 at 10:50:32AM +0200, Patrick Ben Koetter wrote: >> * Simon Effenberg <sa...@schuldeigen.de>: >>> Hi @list, >>> >>> I have an issue with my SSL certificate. When I send a mail from another >>> postfix to the one with the installed certificate it is complaining >>> about an Untrusted TLS connection. The certificate uses SAN and is >>> signed. OpenSSL tells me that everything is fine. When I test it through >>> ssl-tools.net it is also fine. If I install it as an server certificate >>> within an apache and test it through chrome it is fine as well. >> >> Untrusted = encrypted, but the identity has not been verified >> Use DANE (Postfix 2.11.1+) for automated identity verification. > > I know that untrusted means that the identity has not been verified. But > it _should_ (that's why I'm confused). So DANE may be implemented in the > future but for now it should work already. So any other ideas?
*who* is complaining? a) your server about the destination b) the destination in case of b) no way - there is nothing to verify in case of a) the CA of the the destination is unknown below our configuration and the log while deliver to gmail /etc/pki/tls/certs/ca-bundle.crt is the recent Fedora CA-bundle smtp_use_tls = yes smtp_tls_fingerprint_digest = sha1 smtp_tls_loglevel = 1 smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes Trusted TLS connection established to gmail-smtp-in.l.google.com[74.125.136.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
