Examining incoming connections I see that google is trusted but
bendel.debian.org (this list) is not
Mar 12 08:37:39 egde postfix/25pass/smtpd[78299]: setting up TLS
connection from bendel.debian.org[82.195.75.100]
Mar 12 08:37:39 egde postfix/25pass/smtpd[78299]: Untrusted TLS
connection established from bendel.debian.org[82.195.75.100]: TLSv1.3
with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256
Mar 12 08:41:41 egde postfix/25pass/smtpd[78321]: setting up TLS
connection from mail-pf1-f176.google.com[209.85.210.176]
Mar 12 08:41:42 egde postfix/25pass/smtpd[78321]: Trusted TLS connection
established from mail-pf1-f176.google.com[209.85.210.176]: TLSv1.3 with
cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519
server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256
Part of header
Bendel:
Received: from bendel.debian.org (bendel.debian.org [82.195.75.100])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "clientcerts/bendel.debian.org", Issuer "Debian SMTP CA"
(not verified))
by edge.bronzemail.com (Postfix) with ESMTPS id 3417740396
for <jer...@ardley.org>; Sun, 12 Mar 2023 08:37:40 +0800 (AWST)
Google:
Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com
[209.85.210.176])
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
by edge.bronzemail.com (Postfix) with ESMTPS id 0E80740396
for <jer...@ardley.org>; Sun, 12 Mar 2023 08:41:43 +0800 (AWST)
I have previously run
apt install --reinstall ca-certificates
...
Preparing to unpack .../ca-certificates_20210119_all.deb ...
Unpacking ca-certificates (20210119) over (20210119) ...
...
root@egde:/etc/postfix# update-ca-certificates --fresh
systemctl restart postfix
I also see this happen with letsencrypt certificates even though R3 is
in the trustedCA lists
Received: from edge.bronzemail.com
(2403-5800-c000-1b7-f3d4-d970-ca28-bf4f.ip6.aussiebb.net
[IPv6:2403:5800:c000:1b7:f3d4:d970:ca28:bf4f])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "edge.bronzemail.com", Issuer "R3" (not verified))
by mail.bronzemail.com (Postfix) with ESMTPS id 48D60860222
for <jer...@ardley.org>; Sun, 12 Mar 2023 08:41:44 +0800 (AWST)
Jeremy