On Mon, Mar 16, 2020 at 02:45:55PM -0400, Wietse Venema wrote:
> > Looks valid to me, unless I'm missing something, or is posttls-finger
> > missing something?
>
> Postfix code will enforce the security level that you specify.
> If you want Postfix to trust the certificate, then specify that.
>
> posttlls-finger -l <your preferred level> ...
>
> Ditto in main.cf and smtp_tls_policy_maps.
Everything is as expected. Postfix defaults to opportunistic TLS, which
does not care about the peer certificate (does not attempt to verify
it), and *also* by default has an empty trust store. If you want to
trust some list of random third-parties, you have to explicitly turn
that on. And if you want "Verified", rather than "trusted" you
often have to also specify appropriate name matching:
$ posttls-finger -c -l secure -L summary -F /etc/ssl/cert.pem gmail.com
mx.google.com
posttls-finger: Verified TLS connection established
to gmail-smtp-in.l.google.com[172.217.197.26]:25: TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (2048 bits) server-digest SHA256
--
Viktor.
