Thorsten Habich: > Hello, > > the certificate verification with TA file option still occasionally fails: > > 2020-08-13T07:39:39.007186+02:00 server postfix/tlsproxy[47119]: > certificate verification failed for remote.domain.tld[10.11.12.13]:25: > untrusted issuer /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA > 2020-08-13T07:39:39.007423+02:00 server postfix/tlsproxy[47119]: > Untrusted TLS connection established to > remote.domain.tld[10.11.12.13]:25: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > 2020-08-13T07:39:39.007537+02:00 server postfix/smtp[26187]: Untrusted > TLS connection established to remote.domain.tld[10.11.12.13]:25: TLSv1.2 > with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
I'll leave it to Viktor and you to figure out why this is non-deterministic. Unfortunately this does not show whether the SMTP client proceeds with the email delivery. > on the next delivery attempt the connection re-use seem to lead to the > fact that the verification isn't processed again, although the last > delivery attempt failed due to a mandatory TLS configuration (secure): That depends on whether the requirement exists (in smtp(8) and tlsproxy(8)) that the certificate verification must succeed, and if that requirement exists, whether that requirement is enforced. Wietse