Am 13.05.2014 14:04, schrieb Simon Effenberg: > On Tue, May 13, 2014 at 01:12:07PM +0200, li...@rhsoft.net wrote: >>> I know that untrusted means that the identity has not been verified. But >>> it _should_ (that's why I'm confused). So DANE may be implemented in the >>> future but for now it should work already. So any other ideas? >> >> *who* is complaining? >> >> a) your server about the destination >> b) the destination >> >> in case of b) no way - there is nothing to verify >> >> in case of a) the CA of the the destination is unknown >> below our configuration and the log while deliver to gmail >> /etc/pki/tls/certs/ca-bundle.crt is the recent Fedora CA-bundle >> >> smtp_use_tls = yes >> smtp_tls_fingerprint_digest = sha1 >> smtp_tls_loglevel = 1 >> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt >> smtp_tls_security_level = may >> smtp_tls_note_starttls_offer = yes >> >> Trusted TLS connection established to >> gmail-smtp-in.l.google.com[74.125.136.26]:25: TLSv1.2 with cipher >> ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) > > It's case a) .. so my mailserver B is telling me: > > May 13 13:58:10 mail postfix/smtp[12904]: Untrusted TLS connection > established to my.mailserver.de[123.12.12.1]:25: TLSv1.2 with cipher > AECDH-AES256-SHA (256/256 bits) > > And like I said.. it looks well from the openssl command and from > Chromium if I use the certificate inside an Apache2.. but postfix is > complaining and it is not telling me anything special what the issue is.
the CA of the certificate used on "my.mailserver.de" is not in smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt "from Chromium if I use the certificate inside an Apache2" is a different story, Chromium has the CA *and* the trust-chain in his CA list, /etc/ssl/certs/ca-certificates.crt is missing one of them and BTW it's completly pointless in doubt if i hijack your DNS server, manage to get a certificate from whatever trusted CA for "my.mailserver.de" you would see no difference - it would still be trusted in case of a known CA it's even recommended *not* to use smtp_tls_CAfile and stay with *any* delivery as "Untrusted" because there is no way of *real* trust without DNSSEC/DANE
