Hi My log files has a moderate amount of TLS warnings:
postfix/smtpd[25614]: warning: TLS library problem: 25614:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1102:SSL alert number 46: I'm aware that this could be (according to an older thread on this list) just an issue with the clients that are connecting to me. However, I'd like to be sure that this is the case. I've spent all day reading http://www.postfix.org/TLS_README.html but I'm not really any the wiser. What I would like is: SMTP :: MUAs connecting on 587 are required to use TLS :: MUAs connecting on 25 can use TLS if the want to SMTPD :: Hosts connecting to me are offered TLS and use it :: That my server use TLS if it is offered by a remote host I think I'm fixed on the first one. My master.cf says: submission inet n - n - - smtpd -o smtpd_delay_reject=yes -o receive_override_options=no_address_mappings -o content_filter=dksign:[127.0.0.1]:10028 -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_tls_security_level=encrypt I think the error is related to the third point. And I have absolutely no idea if my server is using TLS if it's offered for outgoing mail. In main.cf I have smtpd_use_tls = yes but the documentation tells me this is obseleted (I'm running 2.7.1) and to use smtpd_tls_security_level = may instead - however, vim tells me that the former is a valid configurable (it's highlighted) whilst the latter is not. That's part of my confusion. mail:~# postconf -n | grep -i TLS smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_tls_CAfile = /etc/ssl/keys/ca.crt smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/ssl/keys/mail..net.crt smtpd_tls_key_file = /etc/ssl/private/mail..net.key smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom How can I be sure my server is using TLS for hosts that offer it? And how can I be sure those errors in the logs are the connecting host and not mine? Thanks for any advice. Simon
