On Mon, Mar 02, 2015 at 08:40:17PM +0000, Paul wrote:
> I have a Ubuntu Postfix (2.11) setup which only delivers locally submitted
> mail. I have enabled outgoing TLS support
It seems to be working just fine.
http://permalink.gmane.org/gmane.mail.postfix.user/249429
http://permalink.gmane.org/gmane.mail.postfix.user/249436
> Postfix can establish Trusted connections to a variety of hosts
>
> Mar 2 19:59:06 rowan postfix/smtp[17346]:
> Trusted TLS connection established to mx01.gmx.net[212.227.17.4]:25:
> TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> Mar 2 20:15:53 rowan postfix/smtp[20057]:
> Trusted TLS connection established to ASPMX.L.GOOGLE.COM[173.194.67.27]:25:
> TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
These servers do not support anon-(EC)DH cipher-suites, so their
"Trusted" (but not "Verified"!) certificates are reported as such:
http://www.postfix.org/FORWARD_SECRECY_README.html#status
> However when connecting to another Postfix server I manage I get
>
> Mar 2 20:20:07 rowan postfix/smtp[20386]:
> Untrusted TLS connection established to
> mail.netpresto.co.uk[213.210.16.25]:25:
> TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
This server does support anon-ECDH cipher-suites, so its anonymous
connection is misreported as untrusted.
http://permalink.gmane.org/gmane.mail.postfix.user/243747
> My first assumption was I have not configured mail.netpresto.co.uk
> correctly.
Nothing is wrong, there is nothing misconfigured and nothing to fix.
> Why are posttls-finger results different to what the postfix/smtp client
> gets for this connection
Because the primary purpose of posttls-finger(1) is to report peer
certificate information, its default security level is "secure"
not "may", and anonymous ciphers are disabled as a result.
--
Viktor.
