postfix-users May 2014 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: TLS issues (postfix says: UNTRUSTED but it is

Re: TLS issues (postfix says: UNTRUSTED but it is not)

From: Viktor Dukhovni <postfix-users_at_nospam>
Date: Tue May 13 2014 - 13:31:09 GMT
To: postfix-users@postfix.org

On Tue, May 13, 2014 at 02:04:19PM +0200, Simon Effenberg wrote:

> May 13 13:58:10 mail postfix/smtp[12904]: Untrusted TLS connection
> established to my.mailserver.de[123.12.12.1]:25: TLSv1.2 with cipher
> AECDH-AES256-SHA (256/256 bits)

The connection is actually "Anonymous" as evidenced by the cipher-suite
(AECDH-AES256-SHA). So no certificate is exchanged at all.

The logging is misleading, it should say "Anonymous" rather than
"untrusted". This is fixed in 2.11.1 and 2.12 snapshots.

Anonymous connections are the norm when both ends are Postfix and
the client TLS security level (policy) is "may".

If you want authentication of this destination, you need to use a
security level that demands authentication, one of:

        - dane-only
        - fingerprint
        - secure

    http://www.postfix.org/TLS_README.html#client_tls_levels
    http://www.postfix.org/TLS_README.html#client_tls_policy

-- Viktor.