On Tue, Dec 22, 2020 at 09:24:27AM -0500, James B. Byrne wrote:
> > It clearly supports STARTTLS, since it is actually performing the TLS
> > handshake, and abandons it after receiving certificates it is not happy
> > with.
>
> Which confuses me, because I can use java to successfully negotiate a
> certificate exchange with Postfix using the same keystore that the application
> is using.
Perhaps you're confusing the Java keystore with the Java trust store,
they are separate entities. Java is a programming language, not a
single application. Each Java program gets to do its own thing.
Yes, they often share some common libraries and file formats, ...
> I cannot see Postfix sending a different server certificate on port
> 465 from that it presents on ports 25 or 465. And if the certificate
> on 465 passes the keystore validation on the client then what would
> prevent it from passing on post 25?
Well, you're running tests with completely different Java client
applications and likely in fact different configuration settings. All
that's in common is that both are Java, which is something, but not
much...
Note that certificates don't pass "keystore" validation, they pass
"trust store" validation. Java keystores are for your own private
key and cert (akin to PKCS12 containers, or a PEM with key + cert
chain), while trust stores are akin to a cert bundle with lots of
CA certs.
> I know that the service is different on both ports, but the
> certificate acceptability should be the same. And it is the client
> that is causing the problem.
You could hypothetically have different certificate settings for
the different ports in master.cf, but if you don't then indeed
the server side TLS behaviour is likely the same across the board.
--
Viktor.
