Re: some sites not accepting self-signed certs

Thu, 20 Nov 2014 11:18:03 -0800 


On 11/20/2014 01:56 PM, Viktor Dukhovni wrote:

On Thu, Nov 20, 2014 at 01:47:20PM -0500, Robert Moskowitz wrote:


And of course, being on the cheap side, I used self-signed certificates.
Well I see some sites, including dovecot.org rejecting emails.

Nov 20 10:19:45 z9m9z postfix/lmtp[4040]: 5CF7062110:
to=<dove...@dovecot.org>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=12,
delay=5890, delays=4534/1346/0.01/8.8, dsn=2.0.0, status=sent (250 2.0.0 Ok,
id=04061-01-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
8602A600B7)

Nov 20 10:19:46 z9m9z postfix/smtp[4090]: certificate verification failed
for dovecot.org[137.117.229.219]:25: self-signed certificate

This is email you're sending, but certs are inspected by sending
not receiving systems.  Your self signed certificate has no bearing
on delivery of outbound email.
I have spent too many years on PKI, and that definitely colors my view. You are saying that this is only server cert, not client cert in the TLS handshake. OK. I can accept that. 


You're showing an irrelevant log entry for email re-injection into
amavisd-new for scanning.  And no evidence than anyone is rejecting
your mail,
I will accept that I did misread who was rejecting what. Bad for me to assume that my MTA cert was also being used as a client cert. By your explanation, dovecot.org is ALSO using a self-signed cert and my MTA is the one rejecting their cert. This is the only maillog message for self-signed cert failed. But all that means is that they are the only MTA I have sent mail to that is using a self-signed cert. 


In other words, you're so confused, that you're babbling nonsense,
but it seems to make sense to you.  You need to forget everything
you think you understood and start again from scratch.
The confusion comes in as to what the MTA cert is used for. I now see it is used only for the TLS server cert. Fine.
Though now I have to figure out IF they received my message and why I am not getting any mail from them. 




Lovely, lovely.  I CAN understand this.  Afterall, secure communications is
my day job.  But I don't like it.

Well the premise is false, so there is nothing to not like.


So now I either turn off TLS for MTA-MTA communications, or I find
a decent CA to get a cert from and I set it up right.

No need.


Do others here use self-signed certs?

Definitely.

Reply via email to