Hi all, I've read what Postfix documentation I can find on the subject, and I don't understand why I'm seeing untrusted connections rather than trusted. I'm using an account at mailbox.org for testing purposes, they use DNSSEC / DANE for there server (as do I), and I see a verified connection when sending email to their server, but returned connections are untrusted.
This is what's logged when TLS logging is set to 2 - Jan 31 17:53:31 indium postfix/smtpd[30307]: setting up TLS connection from mx1.mailbox.org[80.241.60.212] Jan 31 17:53:31 indium postfix/smtpd[30307]: mx1.mailbox.org[80.241.60.212]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL" Jan 31 17:53:31 indium postfix/smtpd[30307]: SSL_accept:SSLv3/TLS read client hello Jan 31 17:53:31 indium postfix/smtpd[30307]: SSL_accept:SSLv3/TLS write server hello Jan 31 17:53:31 indium postfix/smtpd[30307]: SSL_accept:SSLv3/TLS write certificate Jan 31 17:53:31 indium postfix/smtpd[30307]: SSL_accept:SSLv3/TLS write key exchange Jan 31 17:53:31 indium postfix/smtpd[30307]: SSL_accept:SSLv3/TLS write certificate request Jan 31 17:53:31 indium postfix/smtpd[30307]: SSL_accept:SSLv3/TLS write server done Jan 31 17:53:31 indium postfix/smtpd[30307]: SSL_accept:SSLv3/TLS write server done Jan 31 17:53:31 indium postfix/smtpd[30307]: SSL_accept:SSLv3/TLS read client certificate Jan 31 17:53:31 indium postfix/smtpd[30307]: SSL_accept:SSLv3/TLS read client key exchange Jan 31 17:53:31 indium postfix/smtpd[30307]: SSL_accept:SSLv3/TLS read certificate verify Jan 31 17:53:31 indium postfix/smtpd[30307]: SSL_accept:SSLv3/TLS read change cipher spec Jan 31 17:53:31 indium postfix/smtpd[30307]: SSL_accept:SSLv3/TLS read finished Jan 31 17:53:31 indium postfix/smtpd[30307]: SSL_accept:SSLv3/TLS write session ticket Jan 31 17:53:31 indium postfix/smtpd[30307]: SSL_accept:SSLv3/TLS write change cipher spec Jan 31 17:53:31 indium postfix/smtpd[30307]: SSL_accept:SSLv3/TLS write finished Jan 31 17:53:31 indium postfix/smtpd[30307]: Untrusted TLS connection established from mx1.mailbox.org[80.241.60.212]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) This is the relevant part of main.cf - smtpd_use_tls = yes smtpd_tls_key_file = /etc/pki/tls/private/mail.trisect.uk.key smtpd_tls_cert_file = /etc/pki/tls/certs/mail.trisect.uk.crt smtpd_tls_CApath = /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt smtpd_tls_ask_ccert = yes smtpd_tls_ccert_verifydepth = 2 smtpd_tls_security_level = may smtpd_tls_loglevel = 1 smtpd_tls_auth_only = no smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s As far as I can tell the CA certificate used by mailbox.org is included in ca-bundle.trust.crt What have I missed (if anything)? Thanks for looking
