> -----Original Message-----
> From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of Viktor Dukhovni
> On Fri, Oct 07, 2011 at 05:15:20PM -0400, Simon Brereton wrote:
>
> > postfix/smtpd[25614]: warning: TLS library problem:
> 25614:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate unknown:s3_pkt.c:1102:SSL alert number 46:
>
> This client could not verify your server certificate, its SSL stack
> sent an "alert" to that effect.
Viktor - as always, I thank you - the help and advice on this is list is
unparalleled.
I presume they couldn't verify it because it's self-signed certificate?
> > I have absolutely no idea if my server is using TLS if it's offered
> for outgoing mail.
> >
> > In main.cf I have smtpd_use_tls = yes but the documentation tells
> me
> > this is obseleted (I'm running 2.7.1) and to use
> > smtpd_tls_security_level = may instead - however, vim tells me that
> > the former is a valid configurable (it's highlighted) whilst the
> > latter is not. That's part of my confusion.
>
> The authors of vim are not Postfix experts.
Among the other things it's not practical enough to know is how vim does this
anyway. I assumed there was some sort of file it checks in the postfix
sources. But I'll amend this.
> > mail:~# postconf -n | grep -i TLS
> > smtp_tls_note_starttls_offer = yes
> > smtp_tls_session_cache_database =
> btree:${data_directory}/smtp_scache
>
> With no other settings for the SMTP client, outgoing TLS is disabled
> on your machine. You need "smtp_tls_security_level = may".
Thanks - you've already made the TLS_README more understandable. I've added
that. Do I need to add other parameters?
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_tls_CAfile = ?
smtp_tls_cert_file = ?
smtp_tls_key_file = ?
smtp_tls_loglevel = 1
> > smtpd_tls_CAfile = /etc/ssl/keys/ca.crt smtpd_tls_cert_file =
> > /etc/ssl/keys/mail..net.crt
>
> Not needed, you neither ask for nor verify client certs.
Should I be? And if so, how do I do that? Bearing in mind, I think I'd only
want to verify them if they are actually used.
> > smtpd_tls_loglevel = 2
>
> Too noisy. No more than 1, unless you're debugging a TLS
> interoperability problem
I'd put it at 2 to try and ascertain if it was me or the connecting host at
fault. Your reply above indicates it me (or at least because the host cant
verify my certificate)..
> > smtpd_use_tls = yes
>
> Use "smtpd_tls_security_level = may"
Fixed. Thanks.
> > And how can I be sure those errors in the logs are the connecting
> host and not mine?
>
> Reduce the loglevel to 1, then ignore most TLS warnings that don't
> correlate with non-delivery of mail. Sadly, it is not practical for
> everyone to learn SSL deeply enough to understand all the warnings.
I'm deeply and painfully aware of this :(
Simon
