On Fri, Aug 21, 2009 at 06:09:52AM -0500, Noel Jones wrote:
> Ralf Hildebrandt wrote:
>>>
>>> Aug 20 22:49:01 server postfix/smtpd[7724]: connect from
>>> unknown[XXX.YYY.ZZZ.KKK]
>>> Aug 20 22:49:02 server postfix/smtpd[7724]: setting up TLS connection
>>> from unknown[XXX.YYY.ZZZ.KKK]
>>> Aug 20 22:49:02 server postfix/smtpd[7724]: Anonymous TLS connection
>>> established from unknown[XXX.YYY.ZZZ.KKK]: TLSv1 with cipher
>>> AES128-SHA (128/128 bits)
>>>
>>> Why does it say "Anonymous TLS connection"?
>> Because the TLS certificate is not signed by a trusted CA.
>
> No, it's because an anonymous cipher is used when there is no client
> certificate. If it was a certificate trust problem, the connection would
> be labeled "Untrusted".
No, it is because the client did not provide a certificate. The cipher
AES128-SHA is not an "anonymous" cipher, the server did provide a
certificate to the client, but the converse was false.
Don't confuse anonymous ciphers, with anonymous clients using a cipher
that (if the client bothers, ...) authenticates the server.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
