On Sat, Mar 23, 2024 at 06:24:50PM +0800, Cowbay via Postfix-users wrote: > My smtp_tls_policy_maps points to a hash table and the relevant entry is > [smtp.gmail.com]:465 secure
OK, nothing unusual there. > > No, the self-signed certificate might have been some root CA that isn't > > listed in your CAfile. Or perhaps the Gmail load-balancer did present > > a self-signed certificate for some reason. > > Ok, you should be correct. The more precise statement from the Wikipedia is > "self-signed certificates are public key certificates that are not issued by > a certificate authority (CA)." So maybe that once the CA isn't listed in the > CAfile the Postfix or the ssl library treats it as a self-signed > certificate. Postfix just relays what OpenSSL finds. A certificate is only self-signed when its subject name and issuer name are equal, absence from the CA file does not change this, but if found in the CA file, a self-signed certificate is typically treated as a trust-anchor and verification succeeds. Since Gmail does not normally vend any self-signed certificates, something atypical was in place on the Gmail end at the time. One possible factor is the handling of TLS connections that don't set the SNI name (Postfix default, see <http://www.postfix.org/postconf.5.html#smtp_tls_servername>). > > You should try with each of "-servername smtp.google.com" and > > "-noservername" options. and also "posttls-finger" as in the example I posted. > > When I test with s_client, I see the same certificate chain at that > > address regardless of whether SNI is used: > > > > $ openssl s_client -servername smtp.gmail.com -verify_hostname > > smtp.gmail.com -connect 64.233.189.109:465 < /dev/null > > ... > > > > $ openssl s_client -noservername -verify_hostname smtp.gmail.com > > -connect 64.233.189.109:465 < /dev/null > > ... > > > > With posttls-finger, I see: > > > > $ posttls-finger -wc -F /etc/ssl/cert.pem -lsecure > > "[64.233.189.109]:465" smtp.gmail.com You might not get to observe the problem for quite some time (if ever again). -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
