On 11/20/2014 01:52 PM, li...@rhsoft.net wrote:
Am 20.11.2014 um 19:47 schrieb Robert Moskowitz:
So I have enabled TLS (though I forgot how I did this!) for
sending/receiving mail. It ONLY took me a year from when I started
working on this migration to finally pulling it off.
ANd of course, being on the cheap side, I used self-signed
certificates. Well I see some sites, including dovecot.org rejecting
emails.
Nov 20 10:19:45 z9m9z postfix/lmtp[4040]: 5CF7062110:
to=<dove...@dovecot.org>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=12,
delay=5890, delays=4534/1346/0.01/8.8, dsn=2.0.0, status=sent (250 2.0.0
Ok, id=04061-01-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
8602A600B7)
Nov 20 10:19:46 z9m9z postfix/smtp[4090]: certificate verification
failed for dovecot.org[137.117.229.219]:25: self-signed certificate
Lovely, lovely. I CAN understand this. Afterall, secure communications
is my day job. But I don't like it. Does only accepting well-rooted
certs matter for server performance? Are there really DOS attacks
occuring on sites that accept self-signed certs (this listserver does
not seem to be using TLS)?
So now I either turn off TLS for MTA-MTA communications, or I find a
decent CA to get a cert from and I set it up right.
Do others here use self-signed certs in this way?
what are you talking about?
that above is most likely just a warning for the record
you missed to provide *full logs* for that transaction as well as
"postconf -n" output - postfix don't reject self signed certificates
until somebody decides to configure it that way
Oh, and here are my tls main.cf setup commands from my main.cf config
script:
# tls config
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtp_tls_session_cache_database =
btree:$data_directory/smtp_tls_session_cache'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_security_level = may'
postconf -e 'smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_scache'
# Change mail.example.com.* to your host name
postconf -e 'smtpd_tls_key_file =
/etc/pki/tls/private/z9m9z.htt-consult.com.key'
postconf -e 'smtpd_tls_cert_file =
/etc/pki/tls/certs/z9m9z.htt-consult.com.crt'
