On 2022-11-21 at 12:18:33 UTC-0500 (Mon, 21 Nov 2022 18:18:33 +0100)
Paul Menzel <pmen...@molgen.mpg.de>
is rumored to have said:
Dear Postfix folks,
With Postfix 3.6.0-RC1 and
# postconf -n smtp_tls_security_level
smtp_tls_security_level = dane
the Postfix SMTP client logs several untrusted TLS connections for
hosts with a good TLS certificate setup.
[...]
I have no answer to your main question but I think I see the issue in
the log below. The server sends a certificate with "issuer_CN=GEANT OV
RSA CA 4" but it doesn't seem to send any intermediate certificate to
build a chain back to a known root, so unless you have a trusted root
locally for that issuer, the chain can't be verified.
PPS: Postfix log for helmholtz-muenchen.de with `smtp_tls_loglevel=2`:
```
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]: setting up TLS
connection to c1491.mx.srv.dfn.de[194.95.238.86]:25
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
c1491.mx.srv.dfn.de[194.95.238.86]:25: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!RC4:!aNULL:!aNULL"
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
c1491.mx.srv.dfn.de[194.95.238.86]:25: SNI hostname:
c1491.mx.srv.dfn.de
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]: SSL_connect:before
SSL initialization
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
SSL_connect:SSLv3/TLS write client hello
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
SSL_connect:SSLv3/TLS write client hello
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
SSL_connect:SSLv3/TLS read server hello
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
SSL_connect:SSLv3/TLS write change cipher spec
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
SSL_connect:SSLv3/TLS write client hello
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
SSL_connect:SSLv3/TLS write client hello
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
SSL_connect:SSLv3/TLS read server hello
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
SSL_connect:TLSv1.3 read encrypted extensions
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
c1491.mx.srv.dfn.de[194.95.238.86]:25: depth=0 verify=1
subject=/C=DE/ST=Berlin/O=Verein zur F\xC3\xB6rderung eines Deutschen
Forschungsnetzes DFN-Verein/CN=mx
.srv.dfn.de
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
SSL_connect:SSLv3/TLS read server certificate
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
SSL_connect:TLSv1.3 read server certificate verify
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
SSL_connect:SSLv3/TLS read finished
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
SSL_connect:SSLv3/TLS write finished
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
c1491.mx.srv.dfn.de[194.95.238.86]:25: Matched DANE EE certificate at
depth 0: 3 0 1
B85BD6FA275E5DE5748964BFBEBA198836ABAE5D6BF51A7D75756F888B3C08E7
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
c1491.mx.srv.dfn.de[194.95.238.86]:25: subject_CN=mx.srv.dfn.de,
issuer_CN=GEANT OV RSA CA 4,
fingerprint=67:AA:4B:C1:2C:4B:AF:BA:82:12:A9:0E:E5:50:74:C3, pkey
_fingerprint=98:E4:A8:E2:4C:C4:CA:3E:12:D8:77:B4:5C:4A:31:1B
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]: Untrusted TLS
connection established to c1491.mx.srv.dfn.de[194.95.238.86]:25:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange
ECDHE (P-
384) server-signature RSA-PSS (4096 bits) server-digest SHA256
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]: SSL_connect:SSL
negotiation finished successfully
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]: SSL_connect:SSL
negotiation finished successfully
2022-11-21T16:27:13+01:00 tldr postfix/smtp[10759]:
SSL_connect:SSLv3/TLS read server session ticket
```
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
