On Sat, Dec 02, 2023 at 11:37:55AM -0500, pgnd wrote:
> > - dane:Same as "may" in the absence of DNSSEC MX and TLSA
>
> iiuc, this functions as
>
> dane, with DNSSEC MX and TLSA
> may, without DNSSEC MX and TLSA
>
> is there an equivalent single form that functions as
>
>
On Sat, Dec 02, 2023 at 09:55:44PM +0900, Byung-Hee HWANG via Postfix-users
wrote:
> > No, it's a pure security policy thing and an overlooked line in the mysql
> > tls
> > policy table.
> >
> > The policy "secure" (and I assume "dane-only") doesn't work, as github is
> > not
> > using DNSSEC.
> No, it's a pure security policy thing and an overlooked line in the mysql tls
> policy table.
>
> The policy "secure" (and I assume "dane-only") doesn't work, as github is not
> using DNSSEC. Valid policies which make this work are "verify", "may" and I
> assume "dane" (if you have
Am 2023-12-01 18:51, schrieb Viktor Dukhovni via Postfix-users:
On Fri, Dec 01, 2023 at 01:52:19PM +0100, Alexander Leidinger wrote:
> No. The problem you're reporting is with name matching. If the
> certificate chain failed to be constructed, that'd be reported instead.
> You'll only see
On Fri, Dec 01, 2023 at 01:52:19PM +0100, Alexander Leidinger wrote:
> > No. The problem you're reporting is with name matching. If the
> > certificate chain failed to be constructed, that'd be reported instead.
> > You'll only see name match errors if the chain construction succeeds,
> > but
Am 2023-12-01 13:44, schrieb Wietse Venema:
Alexander Leidinger:
Am 2023-11-30 16:53, schrieb Wietse Venema via Postfix-users:
> Alexander Leidinger via Postfix-users:
>> What is wrong here that [tlsproxy] doesn't establish a trusted
>> connection
>> to the github mailservers when
Am 2023-12-01 12:40, schrieb Byung-Hee HWANG via Postfix-users:
Alexander Leidinger via Postfix-users
writes:
Am 2023-12-01 12:08, schrieb Byung-Hee HWANG via Postfix-users:
...
Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: server certificate
verification failed for
Am 2023-12-01 11:22, schrieb Viktor Dukhovni via Postfix-users:
On Fri, Dec 01, 2023 at 09:53:25AM +0100, Alexander Leidinger via
Postfix-users wrote:
> > Why should it expect reply.github.com?
>
> Because that name is securely known from the recipient address.
Because, whether you're
Alexander Leidinger:
> Am 2023-11-30 16:53, schrieb Wietse Venema via Postfix-users:
> > Alexander Leidinger via Postfix-users:
> >> What is wrong here that [tlsproxy] doesn't establish a trusted
> >> connection
> >> to the github mailservers when posttls-finger is able to do that with
> >> the
Alexander Leidinger via Postfix-users
writes:
> Am 2023-12-01 12:08, schrieb Byung-Hee HWANG via Postfix-users:
>>> ...
>>> Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: server certificate
>>> verification failed for in-8.smtp.github.com[140.82.114.32]:25:
>>> num=62:hostname mismatch
>>> ...
Am 2023-12-01 12:08, schrieb Byung-Hee HWANG via Postfix-users:
...
Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: server certificate
verification failed for in-8.smtp.github.com[140.82.114.32]:25:
num=62:hostname mismatch
...
Maybe you check?
root@yw-1204:/etc/postfix# postconf -n | grep
> ...
> Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: server certificate
> verification failed for in-8.smtp.github.com[140.82.114.32]:25:
> num=62:hostname mismatch
> ...
Maybe you check?
root@yw-1204:/etc/postfix# postconf -n | grep CAfile
smtp_tls_CAfile =
On Fri, Dec 01, 2023 at 09:53:25AM +0100, Alexander Leidinger via Postfix-users
wrote:
> > > Why should it expect reply.github.com?
> >
> > Because that name is securely known from the recipient address.
Because, whether you're willing to understand the point or prefer to
"dig in", verifying a
Am 2023-12-01 09:34, schrieb Tom Hendrikx via Postfix-users:
On 01-12-2023 08:59, Alexander Leidinger via Postfix-users wrote:
Am 2023-11-30 16:53, schrieb Wietse Venema via Postfix-users:
Alexander Leidinger via Postfix-users:
What is wrong here that [tlsproxy] doesn't establish a trusted
Am 2023-11-30 18:36, schrieb Viktor Dukhovni via Postfix-users:
On Thu, Nov 30, 2023 at 03:37:02PM +0100, Alexander Leidinger via
Postfix-users wrote:
> > Nov 30 11:18:40 mailgate postfix/tlsproxy[98300]: server certificate
> > verification failed for in-9.smtp.github.com[140.82.112.31]:25:
>
On 01-12-2023 08:59, Alexander Leidinger via Postfix-users wrote:
Am 2023-11-30 16:53, schrieb Wietse Venema via Postfix-users:
Alexander Leidinger via Postfix-users:
What is wrong here that [tlsproxy] doesn't establish a trusted
connection
to the github mailservers when posttls-finger is
Am 2023-11-30 16:53, schrieb Wietse Venema via Postfix-users:
Alexander Leidinger via Postfix-users:
What is wrong here that [tlsproxy] doesn't establish a trusted
connection
to the github mailservers when posttls-finger is able to do that with
the same cert store?
Because there are
On Thu, Nov 30, 2023 at 03:37:02PM +0100, Alexander Leidinger via Postfix-users
wrote:
> > > Nov 30 11:18:40 mailgate postfix/tlsproxy[98300]: server certificate
> > > verification failed for in-9.smtp.github.com[140.82.112.31]:25:
> > > num=62:hostname mismatch
> >
> > That is the error.
Alexander Leidinger via Postfix-users:
> What is wrong here that [tlsproxy] doesn't establish a trusted connection
> to the github mailservers when posttls-finger is able to do that with
> the same cert store?
Because there are differences between tlsproxy and posttls-finger.
1) Different
Am 2023-11-30 15:03, schrieb Bill Cole via Postfix-users:
On 2023-11-30 at 08:03:09 UTC-0500 (Thu, 30 Nov 2023 14:03:09 +0100)
Alexander Leidinger via Postfix-users
is rumored to have said:
My main.cf contains the same certs-path for smtp and smtpd TLS
connections:
---snip---
# grep CApath
On 2023-11-30 at 08:03:09 UTC-0500 (Thu, 30 Nov 2023 14:03:09 +0100)
Alexander Leidinger via Postfix-users
is rumored to have said:
Hi,
There is something strange with delivering mail from my mailserver to
github, it complains about the github server certificate not verified
on an outgoing
21 matches
Mail list logo