On Tue, Feb 24, 2015 at 08:16:32PM +0100, ?hsan?Do?an wrote:
> >> 2. smtp_tls_security_level = may
> >>
> >> Feb 24 19:16:51 bender postfix/smtp[26830]: [ID 197553 mail.info]
> >> Untrusted TLS connection established to mail.dogan.ch[77.109.151.89]:25:
> >> TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
This is likely a Postfix server that supports anon-DH ciphersuites.
> It's still not clear to me, why in this case there was no authentication
> performed. With the same configuration, an SMTP connection Gmail is
> authenticated:
>
> Feb 24 20:09:36 bender postfix/smtp[27726]: [ID 197553 mail.info]
> Trusted TLS connection established to
> gmail-smtp-in.l.google.com[74.125.136.26]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
>
> For me still the question remains, why one connection is authenticated
> and one not. Is there any criteria that needs to be met?
This is a Google server that does not support anon-DH ciphersuites.
It is *not* authenticated. It has a certificate from *some* trusted
CA, binding the public key to *some* name, not necessarily related
to the intended destination. If it were authenticated the connection
would be "Verified" not "Trusted".
--
Viktor.
