On Fri, Feb 27, 2009 at 12:56:34PM -0500, Adam Rosi-Kessel wrote:
> Victor Duchovni wrote, on 2/27/2009 12:50 PM:
>>> I'm running postfix on server and client, forcing TLS on both.
>>> No matter what I do, I can't seem to solve "Untrusted TLS connection
>>> established to [...]:587: TLSv1 with cipher ADH-AES256-SHA (256/256
>>> bits)" warning messages in the client log file. Aside from those
>>> warnings, mail delivery actually works fine.
>> This is not a warning. It is an informational message. Postfix 2.6 will
>> use "Anonymous" instead of "Untrusted", which may be less confusing.
>
> Thanks -- that explains a lot. So it just means there is no
> client-certificate, right? Is this to be expected, even if I do have a
> unique cert/key installed on the client?
It means that the client negotiated an anonymous cipher with the server,
and there were no certificates on either side. When Postfix is not
doing certificate checks (opportunistic TLS: "may"), no certificates
are required.
> But I'm not sure it's actually checking the server certificate at all,
Clearly it is not, because you did not ask the client to check the server
certificate, so why waste time doing that.
> which may just be a separate issue. If I take out any mention of cacert in
> main.cf, I don't see any warning or error in the log file. Shouldn't the
> postfix client be checking the server certificate against the local trusted
> CA?
Only if you ask it to, generally unwise as the vast majority of
SMTP STARTTLS servers are self-signed. You can use secure-channel
configurations to selected destinations via the policy table.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
