Am 2023-12-01 12:40, schrieb Byung-Hee HWANG via Postfix-users:
Alexander Leidinger via Postfix-users <postfix-users@postfix.org> writes:Am 2023-12-01 12:08, schrieb Byung-Hee HWANG via Postfix-users:... Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: server certificate verification failed for in-8.smtp.github.com[140.82.114.32]:25: num=62:hostname mismatch ...Maybe you check? <quote from my configuration> root@yw-1204:/etc/postfix# postconf -n | grep CAfile smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt </quote># postconf -n | grep tls_CA smtp_tls_CApath = /etc/ssl/certs smtpd_tls_CApath = /etc/ssl/certsMy test logshot: <quote from my log>Dec 1 11:33:07 yw-1204 postfix/pickup[57397]: 7AB329A3: uid=1000 from=<soyeo...@yw-1204.doraji.xyz> Dec 1 11:33:07 yw-1204 postfix/cleanup[59196]: 7AB329A3: message-id=<20231201113307.7ab32...@yw-1204.doraji.xyz> Dec 1 11:33:07 yw-1204 opendkim[637]: RFC2822-From: Byung-Hee HWANG <soyeo...@yw.doraji.xyz> Dec 1 11:33:07 yw-1204 opendkim[637]: RFC2821-From: soyeo...@yw.doraji.xyz Dec 1 11:33:07 yw-1204 opendkim[637]: RFC2821-To: devn...@reply.github.com Dec 1 11:33:07 yw-1204 opendkim[637]: 7AB329A3: DKIM-Signature field added (s=yw-1204-doraji-xyz, d=doraji.xyz) Dec 1 11:33:07 yw-1204 postfix/qmgr[54966]: 7AB329A3: from=<soyeo...@yw.doraji.xyz>, size=394, nrcpt=1 (queue active) Dec 1 11:33:08 yw-1204 postfix/smtp[59204]: Trusted TLS connection established to in-5.smtp.github.com[140.82.113.31]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 Dec 1 11:33:09 yw-1204 postfix/smtp[59204]: 7AB329A3: to=<devn...@reply.github.com>, relay=in-5.smtp.github.com[140.82.113.31]:25, delay=1.6, delays=0.01/0.01/1.2/0.34, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as BE91F5E034E)Dec 1 11:33:09 yw-1204 postfix/qmgr[54966]: 7AB329A3: removed </quote> Actually i have no problem. So Again you need to do double check CAfile things in main.cf ;;;
No, it's a pure security policy thing and an overlooked line in the mysql tls policy table.
The policy "secure" (and I assume "dane-only") doesn't work, as github is not using DNSSEC. Valid policies which make this work are "verify", "may" and I assume "dane" (if you have "smtp_tls_security_level = may" or verify resp. "smtpd_tls_security_level = may" or verify).
Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
