On Fri, Aug 21, 2009 at 06:09:52AM -0500, Noel Jones wrote: > Ralf Hildebrandt wrote: >>> >>> Aug 20 22:49:01 server postfix/smtpd[7724]: connect from >>> unknown[XXX.YYY.ZZZ.KKK] >>> Aug 20 22:49:02 server postfix/smtpd[7724]: setting up TLS connection >>> from unknown[XXX.YYY.ZZZ.KKK] >>> Aug 20 22:49:02 server postfix/smtpd[7724]: Anonymous TLS connection >>> established from unknown[XXX.YYY.ZZZ.KKK]: TLSv1 with cipher >>> AES128-SHA (128/128 bits) >>> >>> Why does it say "Anonymous TLS connection"? >> Because the TLS certificate is not signed by a trusted CA. > > No, it's because an anonymous cipher is used when there is no client > certificate. If it was a certificate trust problem, the connection would > be labeled "Untrusted".
No, it is because the client did not provide a certificate. The cipher AES128-SHA is not an "anonymous" cipher, the server did provide a certificate to the client, but the converse was false. Don't confuse anonymous ciphers, with anonymous clients using a cipher that (if the client bothers, ...) authenticates the server. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.