On Thu, Apr 16, 2009 at 08:23:18PM +0200, gabriele wrote: > I have only one peer as nexthop in my transport table , this is my > configuration for postfix smtp :
These settings look a bit like an experimental particle physicist trying to learn about the inner working of client TLS in Postfix by smashing all the parameters together in a high energy collision. What exactly are you trying to do? - Encrypted connection to a server with no peername authentication? - Secure connection to a server authenticated by the certificate fingerprint? - Secure connection using trusted 3rd-party CAs and matching of names in trusted certificates? > > # SMTP TLS > > smtp_use_tls=yes > > smtp_tls_loglevel = 1 > > smtp_tls_enforce_peername = no > > smtp_tls_CAfile = /etc/postfix/ssl/CA.pem > > smtp_tls_cert_file=/etc/postfix/ssl/cert.pem > > smtp_tls_key_file=/etc/postfix/ssl/key.pem > > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > > smtp_tls_enforce_peername = no > > smtp_tls_mandatory_ciphers = high > > smtp_tls_mandatory_protocols = SSLv3, TLSv1 > > smtp_tls_secure_cert_match = nexthop > > smtp_tls_security_level = fingerprint > > smtp_tls_fingerprint_digest = sha1 > > smtp_tls_fingerprint_cert_match = > > D4:A8:07:24:0C:26:B6:D7:9D:AA:CC:CA:77:BA:3A:27:AE:0C:B5:35 > > smtp_tls_scert_verifydepth = 1 > > smtp_tls_note_starttls_offer = yes > > ... and i can't still have a verified TLS connection with my relayhost . > My CA.pem , smtp_tls_CAfile = /etc/postfix/ssl/CA.pem , has my both > selfsigned main CA certificate and my nexthop CA in it . Should i > include the all ca certificates directory in postfix main.cf ? How can i > have a verified tls connection with my relayhost ? Pick just one strategy, and make sure the relay's certificate meets the conditions you specify. If you still have problems, post detailed logs with smtp_tls_loglevel=2 and unedited "postconf -n | grep smtp_tls_" output. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.