> -----Original Message----- > From: owner-postfix-us...@postfix.org [mailto:owner-postfix- > us...@postfix.org] On Behalf Of Viktor Dukhovni > On Fri, Oct 07, 2011 at 05:15:20PM -0400, Simon Brereton wrote: > > > postfix/smtpd[25614]: warning: TLS library problem: > 25614:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert > certificate unknown:s3_pkt.c:1102:SSL alert number 46: > > This client could not verify your server certificate, its SSL stack > sent an "alert" to that effect.
Viktor - as always, I thank you - the help and advice on this is list is unparalleled. I presume they couldn't verify it because it's self-signed certificate? > > I have absolutely no idea if my server is using TLS if it's offered > for outgoing mail. > > > > In main.cf I have smtpd_use_tls = yes but the documentation tells > me > > this is obseleted (I'm running 2.7.1) and to use > > smtpd_tls_security_level = may instead - however, vim tells me that > > the former is a valid configurable (it's highlighted) whilst the > > latter is not. That's part of my confusion. > > The authors of vim are not Postfix experts. Among the other things it's not practical enough to know is how vim does this anyway. I assumed there was some sort of file it checks in the postfix sources. But I'll amend this. > > mail:~# postconf -n | grep -i TLS > > smtp_tls_note_starttls_offer = yes > > smtp_tls_session_cache_database = > btree:${data_directory}/smtp_scache > > With no other settings for the SMTP client, outgoing TLS is disabled > on your machine. You need "smtp_tls_security_level = may". Thanks - you've already made the TLS_README more understandable. I've added that. Do I need to add other parameters? smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_session_cache_timeout = 3600s smtp_tls_CAfile = ? smtp_tls_cert_file = ? smtp_tls_key_file = ? smtp_tls_loglevel = 1 > > smtpd_tls_CAfile = /etc/ssl/keys/ca.crt smtpd_tls_cert_file = > > /etc/ssl/keys/mail..net.crt > > Not needed, you neither ask for nor verify client certs. Should I be? And if so, how do I do that? Bearing in mind, I think I'd only want to verify them if they are actually used. > > smtpd_tls_loglevel = 2 > > Too noisy. No more than 1, unless you're debugging a TLS > interoperability problem I'd put it at 2 to try and ascertain if it was me or the connecting host at fault. Your reply above indicates it me (or at least because the host cant verify my certificate).. > > smtpd_use_tls = yes > > Use "smtpd_tls_security_level = may" Fixed. Thanks. > > And how can I be sure those errors in the logs are the connecting > host and not mine? > > Reduce the loglevel to 1, then ignore most TLS warnings that don't > correlate with non-delivery of mail. Sadly, it is not practical for > everyone to learn SSL deeply enough to understand all the warnings. I'm deeply and painfully aware of this :( Simon