i've clearly not noticed my mistake 'til now, and afaict have seen no
unexplained breakage. dunno if i should've and missed it, or it's
just noisy and ignorable?
Best to not solicit misbehaviour, even if typically nothing bad happens.
sure. not hoping to avoid fixing it! asking if i should've/could've known
without running the testssl etc check.
i.e., was there something in postfix logs that I missed? or haven't logged at
sufficient levels to see?
which I need to investigate. my certs are LE-issued public certs. dunno yet why I've
got an "untrusted issuer" rattling around.
This is expected and normal. Postfix has an empty set of trusted issuers
by default, which avoids wasting time verifying certificates when the
result is ignored anyway. You can use the "-F <CAfile>" and/or the
"-P <CApath>" options if you want to go through the motions of doing
WebPKI chain verification.
+1
Absent DANE, this is all security theatre.
yup. which is why i'm doing the step1 cleanups etc to get my own mistakes out
of the way ... on the way to DNSSEC/DANE.
thx.
