Thorsten Habich:
> Hello,
>
> the certificate verification with TA file option still occasionally fails:
>
> 2020-08-13T07:39:39.007186+02:00 server postfix/tlsproxy[47119]:
> certificate verification failed for remote.domain.tld[10.11.12.13]:25:
> untrusted issuer /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
> 2020-08-13T07:39:39.007423+02:00 server postfix/tlsproxy[47119]:
> Untrusted TLS connection established to
> remote.domain.tld[10.11.12.13]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> 2020-08-13T07:39:39.007537+02:00 server postfix/smtp[26187]: Untrusted
> TLS connection established to remote.domain.tld[10.11.12.13]:25: TLSv1.2
> with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
I'll leave it to Viktor and you to figure out why this is
non-deterministic.
Unfortunately this does not show whether the SMTP client proceeds
with the email delivery.
> on the next delivery attempt the connection re-use seem to lead to the
> fact that the verification isn't processed again, although the last
> delivery attempt failed due to a mandatory TLS configuration (secure):
That depends on whether the requirement exists (in smtp(8) and
tlsproxy(8)) that the certificate verification must succeed, and
if that requirement exists, whether that requirement is enforced.
Wietse
