Hi listI have a Ubuntu Postfix (2.11) setup which only delivers locally submitted mail.
I have enabled outgoing TLS support
root@rowan:/etc/postfix# postconf -n | grep tls
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Postfix can establish Trusted connections to a variety of hosts
Mar 2 19:59:06 rowan postfix/smtp[17346]: Trusted TLS connection
established to
mx01.gmx.net[212.227.17.4]:25: TLSv1.2 with cipher
DHE-RSA-AES256-GCM-SHA384 (2
56/256 bits)Mar 2 20:15:53 rowan postfix/smtp[20057]: Trusted TLS connection established to ASPMX.L.GOOGLE.COM[173.194.67.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-
SHA256 (128/128 bits) However when connecting to another Postfix server I manage I getMar 2 20:20:07 rowan postfix/smtp[20386]: Untrusted TLS connection established to mail.netpresto.co.uk[213.210.16.25]:25: TLSv1.2 with cipher AECDH-AES256-SHA
(256/256 bits)My first assumption was I have not configured mail.netpresto.co.uk correctly. But several web based testing tools say all is OK with mail.netpresto.co.uk TLS certificates.
Also posttls-finger appears to tell me everything is good with mail.netpresto.co.uk
root@rowan:/etc/postfix# posttls-finger -F /var/spool/postfix/etc/ssl/certs/ca-certificates.crt 213.210.16.25
posttls-finger: Connected to 213.210.16.25[213.210.16.25]:25 posttls-finger: < 220 mail.netpresto.co.uk ESMTP posttls-finger: > EHLO rowan.netpresto.co.uk posttls-finger: < 250-mail.netpresto.co.uk posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 20971520 posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250 8BITMIME posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLSposttls-finger: 213.210.16.25[213.210.16.25]:25: subjectAltName: *.netpresto.co.
ukposttls-finger: 213.210.16.25[213.210.16.25]:25: subjectAltName: netpresto.co.uk
posttls-finger: 213.210.16.25[213.210.16.25]:25 CommonName *.netpresto.co.ukposttls-finger: 213.210.16.25[213.210.16.25]:25: subject_CN=*.netpresto.co.uk, i ssuer_CN=AlphaSSL CA - G2, fingerprint=F7:93:83:FF:86:3E:3E:C6:D4:36:D9:E0:FB:A8 :F0:A2:26:EF:B5:B6, pkey_fingerprint=D1:24:20:68:80:63:0F:BC:1C:9E:72:9D:6C:CA:8
2:06:C1:5F:88:05posttls-finger: Trusted TLS connection established to 213.210.16.25[213.210.16.2
5]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) posttls-finger: > EHLO rowan.netpresto.co.uk posttls-finger: < 250-mail.netpresto.co.uk posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 20971520 posttls-finger: < 250-ETRN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250 8BITMIME posttls-finger: > QUIT posttls-finger: < 221 2.0.0 ByeWhy are posttls-finger results different to what the postfix/smtp client gets for this connection
