Package: postfix
Version: 2.8.2-1
Severity: normal
I use smtp.gmail.com as a smarthost but I hardcode its cert fingerprint in my
postfix
config to help prevent MITM attacks.
relayhost = smtp.gmail.com:587
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = fingerprint
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_fingerprint_digest = sha1
smtp_tls_fingerprint_cert_match =
DB:A0:2A:07:00:F9:E3:23:7D:07:E7:52:3C:95:9D:E6:7E:12:54:3F
A few days ago, smtp.gmail.com changed its cert and so postfix rightfully
decided not
to connect to it and kept on queueing mail locally instead. The problem is that
the
only sign that this was happening was in /var/log/mail.info:
Mar 31 18:51:20 hostname postfix/smtp[3937]: 6B2815B4528:
to=<secur...@debian.org>, relay=smtp.gmail.com[74.125.53.109]:587, delay=36,
delays=33/0.56/2.7/0, dsn=4.7.5, status=deferred (Server certificate not
verified)
I've got both /var/log/mail.warn and /var/log/mail.err in
/etc/logcheck/logcheck.logfiles
and I was expecting such an important message to be at least considered a
warning.
Could the priority of that particular error message be bumped?
Cheers,
Francois
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
