Hello,
while checking TLS to a destination domain I noticed a difference.
posttls-finger say "Verified" but log say (only) "Trusted".
# posttls-finger -c -F /etc/ssl/mail/trusted_cas.pem avira.com
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName:
mx.ames.avira.net
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName:
a.mx.ames.avira.net
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName:
b.mx.ames.avira.net
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: Matched
subjectAltName: mx1.c01.avira.com
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName:
mx2.c01.avira.com
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25 CommonName
mx.ames.avira.net
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25:
subject_CN=mx1.c01.avira.com, issuer_CN=COMODO RSA Domain Validation
Secure Server CA,
fingerprint=7B:29:B8:4E:DE:65:D0:41:5B:2F:00:8C:83:E0:63:8F:0C:2A:99:D8,
pkey_fingerprint=D5:90:CE:7B:83:66:F3:D1:14:C4:B8:8A:F7:98:9E:36:75:A4:94:48
posttls-finger: Verified TLS connection established to
mx1.c01.avira.com[212.79.247.134]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
# grep "to mx1.c01.avira.com" /var/log/mail
Dec 10 12:58:19 mail postfix/smtp[2230]: Trusted TLS connection
established to mx1.c01.avira.com[212.79.247.144]:25: TLSv1.2 with
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
# postconf -h mail_version
2.11.3
# postconf -h smtp_tls_CAfile
/etc/ssl/mail/trusted_cas.pem
I would say posttls-finger is wrong. Or am I?
Andreas
