Hello,
I currently have a Postfix 3.1.0 server with smtpd configured to use
opportunistic TLS encryption:
/etc/postfix/main.cf
smtpd_tls_security_level = may
In the documentation I have noted that even if STARTTLS is enabled, mail
delivery will not be stopped even if the certificate at the other server is
invalid or is a self-signed certificate. As such, TLS encryption is used but
authentication of the remote server does not happen.
I have noticed in my logs today an entry:
postfix/smtpd[1234]: Untrusted TLS connection established from
example.com[1.2.3.4]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
...where example.com is not the real server name.
When smtpd parsed the certificate before this log entry, I noticed that the
subject_CN of the certificate is the same as the issuer - for example:
subject_CN=example
issuer=example
...where example is not a FQDN but the hostname of the remote server. There is
also no references to certificate authorities.
I am wondering two things:
[1] Am I correct that the remote server has not been authenticated but has used
encryption ?
[2] Is it not authenticated in this case because the remote server appears to
be a self-signed certificate ?
Thanks,
- J
