On Tue, Jun 9, 2015, at 06:25 PM, Viktor Dukhovni wrote:
> This sets the client's certificate chain file, not its list of trusted CAs.
Misunderstood, now clear.
> But you're still not authenticating the server. For that you'll need:
> smtp_tls_security_level=secure so that the client verifies the server
> hostname also and
> refuses to proceed when authentication fails.
>From my notes, I'd previously tried & failed with
-o smtp_tls_security_level=secure
Reattempting
CLIENT/master.cf
...
relay-remote unix - - n - - smtp
...
-o smtp_tls_CAfile=/etc/ssl/mail/DDDD_CA.crt
-o smtp_tls_cert_file=/etc/ssl/mail/relay-remote.crt
-o smtp_tls_key_file=/etc/ssl/mail/relay-remote.key
+ -o smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy
+ -o smtp_tls_security_level=secure
-o tls_append_default_CA=no
...
...
CLIENT/tls_policy
[internal.local010.DDDD.com]:11587 secure match=nexthop
Returns a "Server certificate not verified" deferral
Jun 9 18:43:24 remote016 postfix/relay-remote/smtp[24387]: Trusted TLS
connection established to internal.local010.DDDD.com[10.128.1.10]:11587:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 9 18:43:24 remote016 postfix/relay-remote/smtp[24387]: DAA9666783:
to=<[email protected]>, relay=internal.local010.DDDD.com[10.128.1.10]:11587,
delay=0.15, delays=0/0/0.15/0, dsn=4.7.5, status=deferred (Server certificate
not verified)
Not clear to me what the problem actually is. This is with
-o smtp_tls_loglevel=2
I suspect the 'nexthop' strategy is getting an incorrect match name, but have
yet to understand the general, correct usage after a couple of doc re-reads
(http://www.postfix.org/postconf.5.html#smtp_tls_secure_cert_match)
