On Tue, Jun 09, 2015 at 07:06:26PM -0700, PGNd wrote: > Reattempting > > CLIENT/master.cf > ... > relay-remote unix - - n - - smtp > ... > -o smtp_tls_CAfile=/etc/ssl/mail/DDDD_CA.crt > -o smtp_tls_cert_file=/etc/ssl/mail/relay-remote.crt > -o smtp_tls_key_file=/etc/ssl/mail/relay-remote.key > + -o smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy > + -o smtp_tls_security_level=secure > -o tls_append_default_CA=no > ... > ... > > CLIENT/tls_policy > [internal.local010.DDDD.com]:11587 secure match=nexthop > > Returns a "Server certificate not verified" deferral
The server certificate name probably does not match the nexthop domain. > > Jun 9 18:43:24 remote016 postfix/relay-remote/smtp[24387]: Trusted TLS > connection established to internal.local010.DDDD.com[10.128.1.10]:11587: > TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > Not clear to me what the problem actually is. This is with > > -o smtp_tls_loglevel=2 > > I suspect the 'nexthop' strategy is getting an incorrect match name, but have > yet to understand the general, correct usage after a couple of doc re-reads > (http://www.postfix.org/postconf.5.html#smtp_tls_secure_cert_match) Yes, the key question is what's in the server certificate. You'll want "match=<whatever appears there>". And if you're using the policy table, you don't also need "smtp_tls_security_level=secure", the policy table preempts that. -- Viktor.
