On Mon, Jul 08, 2019 at 08:39:09AM +0200, Tobias Reckhard wrote:
> On 03.07.2019 17:24, David Gibbs wrote:
> > On 7/2/19 3:03 PM, David Mehler wrote:
> >> JulĀ 2 14:59:44 mail postfix/smtp[14345]: Untrusted TLS connection
> >> established to gmail-smtp-in.l.google.com[173.194.68.27]:25: TLSv1.3
> >> with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
> >> server-signature RSA-PSS (2048 bits) server-digest SHA256
> >
> > I encountered the same thing ... here's how I fixed it.
> >
> > I added the following to main.cf:
> >
> > smtp_tls_CApath = /etc/ssl/certs
> > smtpd_tls_CApath = /etc/ssl/certs
>
> While that changes the reported TLS connection status from untrusted to
> trusted, which certainly looks better, the question remains whether that
> is actually true. By installing the package ca-certificates and telling
> postfix to trust all of the CA certificates contained therein, you are,
> in effect, doing just that: you are trusting all of the CAs in the
> package. But are you really? Do you even know them all?
Also important to keep in mind that "Trusted" does not include any
name checks. So all we know is that the certificate in question
was a valid certificate issued by some CA in the CAfile or CApath.
The certificate may be for some name completely unrelated to Google.
And email delivery would have continued even the certificate were
not "Trusted". So while "Trusted" is useful for preparing to deploy
a more strict policy, by itself it is rather meaningless.
Don't pay any attention to the difference between "Trusted" and
"Untrusted", nothing to see here, move along...
--
Viktor.
