On 17/03/20 2:08 am, Viktor Dukhovni wrote:
> For opportunistic TLS, unvalidated certificates are not a failure.
> There is no problem, everything is working as expected:
> $ posttls-finger -l may -c -L summary gmail.com
> posttls-finger: Untrusted TLS connection established to gmail-smtp-in.l.google.com[2607:f8b0:400d:c0f::1a]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
$ openssl s_client -connect "gmail-smtp-in.l.google.com:25" -servername
"gmail-smtp-in.l.google.com" -starttls smtp <<<"QUIT" | tee >(openssl
x509 -noout -text); sleep 0.1
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=mx.google.com
i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
Not After : May 19 20:43:24 2020 GMT
X509v3 Subject Alternative Name:
Looks valid to me, unless I'm missing something, or is posttls-finger
On Mon, Mar 16, 2020 at 02:45:55PM -0400, Wietse Venema wrote:
> > Looks valid to me, unless I'm missing something, or is posttls-finger
> > missing something?
> Postfix code will enforce the security level that you specify.
> If you want Postfix to trust the certificate, then specify that.
> posttlls-finger -l <your preferred level> ...
> Ditto in main.cf and smtp_tls_policy_maps.
Everything is as expected. Postfix defaults to opportunistic TLS, which
does not care about the peer certificate (does not attempt to verify
it), and *also* by default has an empty trust store. If you want to
trust some list of random third-parties, you have to explicitly turn
that on. And if you want "Verified", rather than "trusted" you
often have to also specify appropriate name matching: