bendel.debian.org untrusted certificate

Sat, 11 Mar 2023 16:49:03 -0800

Examining incoming connections I see that google is trusted but bendel.debian.org (this list) is not
Mar 12 08:37:39 egde postfix/25pass/smtpd[78299]: setting up TLS connection from bendel.debian.org[82.195.75.100] Mar 12 08:37:39 egde postfix/25pass/smtpd[78299]: Untrusted TLS connection established from bendel.debian.org[82.195.75.100]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256 Mar 12 08:41:41 egde postfix/25pass/smtpd[78321]: setting up TLS connection from mail-pf1-f176.google.com[209.85.210.176] Mar 12 08:41:42 egde postfix/25pass/smtpd[78321]: Trusted TLS connection established from mail-pf1-f176.google.com[209.85.210.176]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256 

Part of header
Bendel:

Received: from bendel.debian.org (bendel.debian.org [82.195.75.100])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest 
SHA256
         client-signature RSA-PSS (2048 bits) client-digest SHA256)
        (Client CN "clientcerts/bendel.debian.org", Issuer "Debian SMTP CA" 
(not verified))
        by edge.bronzemail.com (Postfix) with ESMTPS id 3417740396
        for <jer...@ardley.org>; Sun, 12 Mar 2023 08:37:40 +0800 (AWST)


Google:

Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com 
[209.85.210.176])
        (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest 
SHA256
         client-signature RSA-PSS (2048 bits) client-digest SHA256)
        (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
        by edge.bronzemail.com (Postfix) with ESMTPS id 0E80740396
        for <jer...@ardley.org>; Sun, 12 Mar 2023 08:41:43 +0800 (AWST)


I have previously run

apt install --reinstall ca-certificates

...
Preparing to unpack .../ca-certificates_20210119_all.deb ...
Unpacking ca-certificates (20210119) over (20210119) ...
...

root@egde:/etc/postfix# update-ca-certificates --fresh

systemctl restart postfix


I also see this happen with letsencrypt certificates even though R3 is 
in the trustedCA lists


Received: from edge.bronzemail.com 
(2403-5800-c000-1b7-f3d4-d970-ca28-bf4f.ip6.aussiebb.net 
[IPv6:2403:5800:c000:1b7:f3d4:d970:ca28:bf4f])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits)
         client-signature RSA-PSS (2048 bits))
        (Client CN "edge.bronzemail.com", Issuer "R3" (not verified))
        by mail.bronzemail.com (Postfix) with ESMTPS id 48D60860222
        for <jer...@ardley.org>; Sun, 12 Mar 2023 08:41:44 +0800 (AWST)


Jeremy























					Reply via email to