On 2022-08-22 13:55, Viktor Dukhovni wrote:
This should be the full certificate chain, not just the lead
certificate.
For that, you need at least:
smtp_tls_security_level = may
or perhaps (given a local validating resolver and only loopback
nameserver IPs in /etc/resolv.conf or equivalent):
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
thanks Viktor and Jaroslaw!
Things are working fine, I put the cert chain in the main cert
file again, no errors this time. Outbound TLS is working ok now
postfix/smtp[7329]: Untrusted TLS connection established to
example-com.mail.protection.outlook.com[104.47.55.110]:25: TLSv1.2 with
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
I assume it says Untrusted because Postfix doesn't have any CAs that it
is configured for?(assuming Office 365 uses a real SSL cert). Probably
doesn't matter. It's just my personal email server.
thanks
nate