On Wed, Jul 16, 2014 at 03:48:12PM +0200, Sven Strickroth wrote:
> I'm using smtp_tls_policy_maps = hash:/etc/postfix/tls_policy with an
> entry like "hs-hannover.de secure match=.fh-hannover.de".
>
> However, I'm able with postfix to deliver mails to that domain
> despite the fact that the certificate expired (in logs I see the
> following statement:)
You say "the certificate expired", but the real story is that "a
certificate" expired.
> Jul 16 15:06:11 srv1 postfix/smtp[3760]: server certificate verification
> failed for pmx1.fh-hannover.de[141.71.1.161]:25: certificate has expired
> Jul 16 15:06:11 srv1 postfix/smtp[3760]: 386DE21530A: Server certificate not
> trusted
This is pmx1.fh-hannover.de.
> Jul 16 15:06:14 srv1 postfix/smtp[3760]: 386DE21530A:
> to=<postmas...@hs-hannover.de>,
> relay=pmx2.fh-hannover.de[141.71.1.162]:25,
> delay=3.8, delays=0.25/0/0.41/3.1, dsn=2.0.0, status=sent
> (250 2.0.0 Ok: queued as XXXXX)
The successful delivery is via pmx2 whose certificate has not expired.
> But I expected that no mail delivery is possible (i.e., mail gets deferred)
> since I used "secure" (I thought "secure" also includes the certificate
> checks of "verify").
Everything worked as intended, delivery via the remaining host whose
certificate is still valid.
--
Viktor.
