[pfx] Re: untrusted TLS connections

Sun, 21 Sep 2025 09:16:03 -0700 

On 2025-09-21 at 11:50:03 UTC-0400 (Sun, 21 Sep 2025 11:50:03 -0400)
Alex via Postfix-users <[email protected]>
is rumored to have said:


Hi, Google Postmaster Tools recently started reporting that my TLS
configuration is not properly set up. I don't think anything has changed, 
but perhaps it was never set up right.


I cannot speak to that, because I don't know what their standards are...


Here's what I'm seeing in the logs.

Sep 19 11:26:21 cipher postfix-gmail/smtp[1403397]: Untrusted TLS
connection established to gmail-smtp-in.l.google.com[64.233.177.27]:25: 
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange
X25519 server-signature ECDSA (prime256v1) server-digest SHA256
That is a smtp *client* connection *sending* email. It is "Untrusted" because the server cert doesn't verify using your configured trust settings. That's fairly normal for an SMTP client. 


Here is my TLS configuration. I'm using SNI maps to deliver the cert
depending on one of two domains the user is accessing. The "combined" cert 
below is the cert and key concatenated together.

smtp_tls_CAfile = /var/www/mail.example.com-443/ssl/DigiCertCA.crt


Why? What is in that file?
See the documentation for smtp_tls_CAfile to understand the question. "man 5 postconf" is your friend. 




smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_security_level = may



All fine.


smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_chain_files =
/var/www/mail.example.com-443/ssl/mail_example_com-2025.key,
/var/www/mail.example.com-443/ssl/mail_example_com-combined-2025.crt
smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
All irrelevant to the cited log message, as these are for the SMTP server, not the client. 


--
 Bill Cole
 [email protected] or [email protected]
(AKA @[email protected] and many *@billmail.scconsult.com addresses) 
 Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to