Hi, For me, it's not 100% clear, how the Postfix smtp client chooses the TLS cipher. In a setup, where a Postfix server connects to mail.dogan.ch, I've experienced this behaviour:
1. smtp_tls_security_level = verify Feb 24 18:51:28 bender postfix/smtp[26237]: [ID 197553 mail.info] Verified TLS connection established to mail.dogan.ch[77.109.151.89]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 2. smtp_tls_security_level = may Feb 24 19:16:51 bender postfix/smtp[26830]: [ID 197553 mail.info] Untrusted TLS connection established to mail.dogan.ch[77.109.151.89]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits) smtp_tls_CAfile: In both cases the CA file is loaded. I guess the Postfix smtp client chooses the cipher ECDHE-RSA-AES256-GCM-SHA384 only when smtp_tls_security_level is set to verify, because the TLS connection is untrusted. What makes me wonder is, why the TLS connection is trusted, if smtp_tls_security_level is set to verify, but it's untrusted if smtp_tls_security_level is set to may. What is the logic behind? Ihsan -- ih...@dogan.ch http://blog.dogan.ch/
