Viktor Dukhovni via Postfix-users skrev den 2023-03-22 16:36:
On Wed, Mar 22, 2023 at 04:28:36PM +0100, Benny Pedersen via
Postfix-users wrote:
>> mx ~ # posttls-finger sdaoden.eu
>> posttls-finger: Connected to sdaoden.eu[217.144.132.164]:25
>> posttls-finger: < 220 sdaoden.eu ESMTP Postfix
>
> I can't even get the connection. I can't even ping sdaoden.eu from my
> server.
I belive its a firewall problem then, at sdaoden.eu, and the cert
fails
No, you just didn't attempt to verify it relative to the system's
WebPKI
certificate store.
$ posttls-finger -F /etc/ssl/cert.pem -lsecure -c sdaoden.eu
aha, this gives verified cert ok, should postfix it self not do the -F
parmeter without posttls-finger special option ?
have i done error here
mx ~ # postconf -nf | grep smtp_
smtp_dns_support_level = dnssec
smtp_tls_CAfile = /etc/letsencrypt/live/mx.junc.eu/cert.pem
smtp_tls_CApath = /etc/letsencrypt/live/mx.junc.eu/
smtp_tls_cert_file = /etc/letsencrypt/live/mx.junc.eu/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/mx.junc.eu/privkey.pem
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_per_site
smtp_tls_security_level = dane
posttls-finger: sdaoden.eu[217.144.132.164]:25: matched peername:
sdaoden.eu
posttls-finger: sdaoden.eu[217.144.132.164]:25:
subject_CN=sdaoden.eu, issuer=R3,
cert fingerprint=[...],
pkey fingerprint=[...]
posttls-finger: Verified TLS connection established
to sdaoden.eu[217.144.132.164]:25: TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519
server-signature RSA-PSS (4096 bits)
server-digest SHA256
4096 is imho overkill :)
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
