Am 16.07.2014 15:48, schrieb Sven Strickroth: > I'm using smtp_tls_policy_maps = hash:/etc/postfix/tls_policy with an entry > like "hs-hannover.de secure match=.fh-hannover.de". > > However, I'm able with postfix to deliver mails to that domain despite the > fact that the certificate expired (in logs I see the following statement:) > Jul 16 15:06:11 srv1 postfix/smtp[3760]: server certificate verification > failed for pmx1.fh-hannover.de[141.71.1.161]:25: certificate has expired > Jul 16 15:06:11 srv1 postfix/smtp[3760]: 386DE21530A: Server certificate not > trusted > Jul 16 15:06:14 srv1 postfix/smtp[3760]: 386DE21530A: > to=<postmas...@hs-hannover.de>, relay=pmx2.fh-hannover.de[141.71.1.162]:25, > delay=3.8, delays=0.25/0/0.41/3.1, dsn=2.0.0, status=sent (250 2.0.0 Ok: > queued as XXXXX) > > But I expected that no mail delivery is possible (i.e., mail gets deferred) > since I used "secure" (I thought "secure" also includes the certificate > checks of "verify").
"secure" means enforce encryption while "may" allows fallback to plain anything above requires DANE - the archives are your friend without dane there is no real verification possible at all http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
