On Sat, Oct 01, 2022 at 09:59:28PM +0000, Eddie Rowe wrote:
> > > I have an RSA wildcard certificate from GoDaddy that I am struggling
> > > to get PostFix to use.
> >
> > What do you mean by "use"?
>
> I know Postfix does not have the code to handle TLS,
Actually, though the low-level TLS code is of course in OpenSSL, Postfix
has > 10,000 lines of code related to TLS connection management, and
security policy.
> but I assume there is some code to display info based on interactions
> with OpenSSL library that causes the log to say ANONYMOUS.
"Anonymous" means that TLS was negotiated, but without a certificate
from the peer. What were you expecting and why? As I mentioned
before, see:
https://www.postfix.org/FORWARD_SECRECY_README.html#status
> > This is all fine. A TLS connection is established. What exactly were you
> > expecting:
>
> I am expecting to see a trusted connection since the certificate is
> signed by a public CA and I have tried to include the intermediate and
> root certificates on the Postfix relay server.
Are you looking at the client or server logs? Is TLS certificate
verification configured on the client side, or just opportunistic
unauthenticated TLS?
https://www.postfix.org/TLS_README.html#client_tls_levels
> When I use the null client setup of Postfix to send email to the old
> server I want to replace, I see this in the Postfix logs:
>
> Sep 30 17:39:06 xxxxxx postfix/smtp[13149]: Trusted TLS connection
> established to xxxx.tdhca.state.tx.us[xxx.xx.xx.xx]:xx: TLSv1.2 with
> cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Was there a compelling reason to elide the corresponding (client side)
logging for a connection to the new server?
What is the client TLS security level?
https://www.postfix.org/DEBUG_README.html#mail
--
Viktor.
