Viktor
Thank you for your response which clarifies all my concerns.
Paul
On 02/03/2015 22:05, Viktor Dukhovni wrote:
On Mon, Mar 02, 2015 at 08:40:17PM +0000, Paul wrote:
I have a Ubuntu Postfix (2.11) setup which only delivers locally submitted
mail. I have enabled outgoing TLS support
It seems to be working just fine.
http://permalink.gmane.org/gmane.mail.postfix.user/249429
http://permalink.gmane.org/gmane.mail.postfix.user/249436
Postfix can establish Trusted connections to a variety of hosts
Mar 2 19:59:06 rowan postfix/smtp[17346]:
Trusted TLS connection established to mx01.gmx.net[212.227.17.4]:25:
TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 2 20:15:53 rowan postfix/smtp[20057]:
Trusted TLS connection established to ASPMX.L.GOOGLE.COM[173.194.67.27]:25:
TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
These servers do not support anon-(EC)DH cipher-suites, so their
"Trusted" (but not "Verified"!) certificates are reported as such:
http://www.postfix.org/FORWARD_SECRECY_README.html#status
However when connecting to another Postfix server I manage I get
Mar 2 20:20:07 rowan postfix/smtp[20386]:
Untrusted TLS connection established to
mail.netpresto.co.uk[213.210.16.25]:25:
TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
This server does support anon-ECDH cipher-suites, so its anonymous
connection is misreported as untrusted.
http://permalink.gmane.org/gmane.mail.postfix.user/243747
My first assumption was I have not configured mail.netpresto.co.uk
correctly.
Nothing is wrong, there is nothing misconfigured and nothing to fix.
Why are posttls-finger results different to what the postfix/smtp client
gets for this connection
Because the primary purpose of posttls-finger(1) is to report peer
certificate information, its default security level is "secure"
not "may", and anonymous ciphers are disabled as a result.
