On Tue, May 13, 2014 at 01:12:07PM +0200, li...@rhsoft.net wrote: > > I know that untrusted means that the identity has not been verified. But > > it _should_ (that's why I'm confused). So DANE may be implemented in the > > future but for now it should work already. So any other ideas? > > *who* is complaining? > > a) your server about the destination > b) the destination > > in case of b) no way - there is nothing to verify > > in case of a) the CA of the the destination is unknown > below our configuration and the log while deliver to gmail > /etc/pki/tls/certs/ca-bundle.crt is the recent Fedora CA-bundle > > smtp_use_tls = yes > smtp_tls_fingerprint_digest = sha1 > smtp_tls_loglevel = 1 > smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt > smtp_tls_security_level = may > smtp_tls_note_starttls_offer = yes > > Trusted TLS connection established to > gmail-smtp-in.l.google.com[74.125.136.26]:25: TLSv1.2 with cipher > ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
It's case a) .. so my mailserver B is telling me: May 13 13:58:10 mail postfix/smtp[12904]: Untrusted TLS connection established to my.mailserver.de[123.12.12.1]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits) And like I said.. it looks well from the openssl command and from Chromium if I use the certificate inside an Apache2.. but postfix is complaining and it is not telling me anything special what the issue is.
