On Tue, Nov 17, 2015 at 08:02:35PM +0100, Istvan Prosinger wrote:
> I'm trying to install the signed STARTSSL certificates to Postfix, but I'm
> getting this entry whatever I do:
>
> Nov 17 18:41:39 knox postfix/smtp[32153]: Untrusted TLS connection
> established to gmail-smtp-in.l.google.com[74.125.133.26]:25: TLSv1.2 with
> cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
These are logs from your local Postfix SMTP client that sends mail
to remote domains.
Well, you can't replace Google's certificates unless you're
administering Google's servers. Perhaps you mean that you're trying
to install trust-anchor certificates (that is, certificate authority
certificates, not server certificates).
> [root@knox certs]# postconf -n | grep tls
> smtp_tls_CAfile = /etc/ssl/certs/startssl-ca-bundle.pem
> smtp_tls_CApath = /etc/ssl/certs/
> smtp_tls_loglevel = 1
> smtp_tls_security_level = may
With opportunistic TLS ("may") certificates are never verified,
and so are never "Trusted".
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/ssl/certs/prosinger_new_bundle.crt
> smtpd_tls_key_file = /etc/ssl/certs/prosinger_new.key
Enabling client certificates is generally a bad idea. Is remote
SMTP server expecting you to use these to authenticate yourself
for mail submission?
> BTW, when I do a test with
> http://checktls.com/
>
> (try ist...@prosinger.net) - I get all "green"/
That tests your Postfix SMTP server that receives mail from
remote domains. Don't confuse the two services.
--
Viktor.
