On Mon, Jun 30, 2014 at 01:45:19PM +0200, Ralf Hildebrandt wrote:
> > Jun 25 15:12:23 albatross postfix/smtp[16480]: Untrusted TLS
> > connection established to mail.lastmikoi.net[212.83.147.35]:25:
> > TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> >
> > Jun 25 15:12:23 albatross postfix/smtp[16480]: 3gz3jG3v0Mz7LjZ:
> > to=<...@lastmikoi.net>, relay=mail.lastmikoi.net[212.83.147.35]:25,
> > delay=2229, delays=2229/0/0.09/0, dsn=4.7.5, status=deferred
> > (Server certificate not trusted)
> >
> > But why is the server certificate not trusted (and the email being
> > deferred)?
> >
> > smtp_tls_security_level = dane
> > smtp_dns_support_level = dnssec
>
> It was a DANE issue (on the receiving side)
Any more detail? Note the TLSA record (which seems to "work") is
a "1 0 1" record, but SMTP should only employ DANE-EE(3) or DANE-TA(2)
certificate usages. Postfix also "tolerates" PKIX-EE(1), treating
it equivalent to DANE-EE(3), but servers SHOULD NOT publish such records.
posttls-finger: using DANE RR: _25._tcp.mail.lastmikoi.net IN TLSA 1 0 1
4A:5A:A2:2D:8E:7B:CD:09:D4:8A:6C:1A:6A:BB:F1:22:75:BA:24:AC:05:F3:28:5F:66:FC:D8:A1:04:29:73:AC
--
Viktor.
