postfix-users April 2011 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: RE: Problem with wildcard certificate

RE: Problem with wildcard certificate

From: Casartello, Thomas <tomc_at_nospam>
Date: Wed Apr 20 2011 - 13:58:14 GMT
To: "postfix-users@postfix.org" <postfix-users@postfix.org>

Ok thanks. Guess I was looking too much into it. I intentionally raised the debug level to try to find this out. I normally run with it at 1.

Thomas E. Casartello, Jr.
Staff Assistant - Wireless/Linux Administrator
Information Technology
Wilson 105A
Westfield State University

-----Original Message-----
From: owner-postfix-users@postfix.org [mailto:owner-postfix-users@postfix.org] On Behalf Of Victor Duchovni
Sent: Wednesday, April 20, 2011 5:04 AM
To: postfix-users@postfix.org
Subject: Re: Problem with wildcard certificate

On Wed, Apr 20, 2011 at 12:29:27AM +0000, Casartello, Thomas wrote:

> Hello there. I recently just placed a new certificate into my postfix
> server. It is a wildcard certificate. The server's name is not covered
> by the wildcard common name, but it is covered by a subject alternative
> name in the cert. I have two versions of the same cert installed, one on
> a postfix server, one on a Microsoft Exchange system. I am using another
> postfix server to make the test connection. The certs are similar, same
> common name. However they have different keys, and the subject alternate
> names of the certs are different on the two servers.
>
> When I connect to the Exchange server using my postfix client server, I see this:
> Apr 19 20:15:08 mx2 postfix/smtp[31124]: setting up TLS connection to mail.wsc.ma.edu[207.159.171.178]:25
> Apr 19 20:15:08 mx2 postfix/smtp[31124]: mail.wsc.ma.edu[207.159.171.178]:25: TLS cipher list "ALL:+RC4:@STRENGTH"

Your TLS loglevel is set too high, use "1" or "0" for production
configurations.

> However when I connect to my other postfix server I get this:
>
> Apr 19 20:19:18 mx2 postfix/smtp[31125]: setting up TLS connection to mx1.wsc.ma.edu[207.159.171.123]:25
> Apr 19 20:19:18 mx2 postfix/smtp[31125]: Untrusted TLS connection established to mx1.wsc.ma.edu[207.159.171.123]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)

Since you have not configured certificate verification, Postfix negotiates
a certificateless anonymous cipher, when the remote server supports this.

> Trying to figure out why I'm getting untrusted when going from postfix
> to postfix but not from postfix to Microsoft. The difference I see is
> 20:19:18 mx2 postfix/smtp[31125]: SSL_connect:SSLv3 ...

You're trying to read low-level debug logs, that are leading you astray.

> Any thoughts as to why the different behavior?

There is no practical security difference between "trusted" and
"untrusted". In both cases the certificate is unverified.

    http://www.postfix.org/TLS_README.html#client_tls_levels

-- Viktor.