On 03.07.2019 17:24, David Gibbs wrote: > On 7/2/19 3:03 PM, David Mehler wrote: >> JulĀ 2 14:59:44 mail postfix/smtp[14345]: Untrusted TLS connection >> established to gmail-smtp-in.l.google.com[173.194.68.27]:25: TLSv1.3 >> with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 >> server-signature RSA-PSS (2048 bits) server-digest SHA256 > > I encountered the same thing ... here's how I fixed it. > > I added the following to main.cf: > > smtp_tls_CApath = /etc/ssl/certs > smtpd_tls_CApath = /etc/ssl/certs
While that changes the reported TLS connection status from untrusted to trusted, which certainly looks better, the question remains whether that is actually true. By installing the package ca-certificates and telling postfix to trust all of the CA certificates contained therein, you are, in effect, doing just that: you are trusting all of the CAs in the package. But are you really? Do you even know them all? Yes, this is nitpicking, and you and many others may be aware of it or don't care. But some readers of this mailing list may not be. And I, for one, find it more accurate when postfix reports "untrusted" for a certificate whose CA I have indeed not verified than if it says "trusted" when the CA concerned is completely unknown to me, let alone its policies. Cheers, Tobias
signature.asc
Description: OpenPGP digital signature
