Loading ...
Sorry, an error occurred while loading the content.

Re: TLS Question, untrusted connection

Expand Messages
  • Viktor Dukhovni
    ... Your smtp_tls_loglevel is set too high, 2 is only for debugging, use 1 for routine logging. ... Your smtpd_tls_loglevel is set too high, 2 is only for
    Message 1 of 6 , Mar 26, 2013
    • 0 Attachment
      On Tue, Mar 26, 2013 at 09:44:12AM +0100, Marko Weber | ZBF wrote:

      > Mar 22 10:34:52 mail postfix/smtp[13970]:
      > smtp2.db.com[160.83.77.178]:25: Matched subjectAltName:
      > nyginsmp02.us.db.com
      > Mar 22 10:34:52 mail postfix/smtp[13970]:
      > smtp2.db.com[160.83.77.178]:25 CommonName nyginsmp02.us.db.com

      Your smtp_tls_loglevel is set too high, 2 is only for debugging,
      use 1 for routine logging.

      > but on incoming mails i see this:
      >
      > Mar 25 14:04:35 mail postfix/smtpd[31103]: setting up TLS connection
      > from loninmrp15.uk.db.com[160.83.44.131]
      > Mar 25 14:04:35 mail postfix/smtpd[31103]:
      > loninmrp15.uk.db.com[160.83.44.131]: TLS cipher list
      > "aNULL:-aNULL:ALL:+RC4:@STRENGTH:!aNULL"
      > Mar 25 14:04:35 mail postfix/smtpd[31103]:
      > loninmrp15.uk.db.com[160.83.44.131]: certificate verification
      > depth=3 verify=0 subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public
      > Primary Certification Authority

      Your smtpd_tls_loglevel is set too high, 2 is only for debugging,
      use 1 for routine logging.

      You may not have specified the associated CAs in "smtpd_tls_CApath"
      or "smtpd_tls_CAfile" (don't put too much here, use CApath if you
      must). However, see below, generally you should not be requesting
      client certs at all.

      > Mar 25 14:04:35 mail postfix/smtpd[31103]: Untrusted TLS connection
      > established from loninmrp15.uk.db.com[160.83.44.131]: TLSv1 with
      > cipher DHE-RSA-AES256-SHA (256/256 bits)

      This is normal. I would have expected this to say "Anonymous"
      rather than "Untrusted". Your smtpd(8) is configured to request
      client certificates, why? Generally, you should not request client
      certs in SMTP except perhaps on "submission" servers.

      --
      Viktor.
    Your message has been successfully submitted and would be delivered to recipients shortly.