On 08.07.20 13:12, Christian Kivalo wrote: [...] > How did you call posttls-finger? Did you use "-F" and point it to > /etc/ssl/certs/ca-certificates.crt? > >> But I do trust this CA: >> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt > This setting does not affect posttls-finger
Thanks - I did not understand this. My assumption was that posttls-finger does what postfix would do (unless you tell it to do otherwise). And the original riddle is solved: posttls-finger is able to verify that as well. > > What does postfix log when you send a mail there?postfix/smtp[12220]: > 2EB716002D: Server certificate not veri fied I require 'verify' via tls policy for that domain. Now.. the question is where this originated since apparently the server is able to verify that now. Will instruct my users to re-try sending an email and have a look in the logs with higher loglevel (smtp_tls_loglevel = 1 so far). Thanks, /r
