Peter:
> On 17/03/20 2:08 am, Viktor Dukhovni wrote:
> > For opportunistic TLS, unvalidated certificates are not a failure.
> > There is no problem, everything is working as expected:
> >
> > $ posttls-finger -l may -c -L summary gmail.com
> > posttls-finger: Untrusted TLS connection established to
> > gmail-smtp-in.l.google.com[2607:f8b0:400d:c0f::1a]:25: TLSv1.3 with cipher
> > TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature
> > RSA-PSS (2048 bits) server-digest SHA256
>
> $ openssl s_client -connect "gmail-smtp-in.l.google.com:25" -servername
> "gmail-smtp-in.l.google.com" -starttls smtp <<<"QUIT" | tee >(openssl
> x509 -noout -text); sleep 0.1
> ...
> Certificate chain
> 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=mx.google.com
> i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
> 1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
> i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
> ...
> Not After : May 19 20:43:24 2020 GMT
> ...
> X509v3 Subject Alternative Name:
> ...DNS:gmail-smtp-in.l.google.com,...
> ...
>
> Looks valid to me, unless I'm missing something, or is posttls-finger
> missing something?
Postfix code will enforce the security level that you specify.
If you want Postfix to trust the certificate, then specify that.
posttlls-finger -l <your preferred level> ...
Ditto in main.cf and smtp_tls_policy_maps.
Wietse
