On Wed, Jan 19, 2022 at 04:21:13PM -0500, PGNet Dev wrote:
> following along & just curious, i checked a postfix 3.6.3 here that's using
> LetsEncrypt certs, where conf includes
>
> smtpd_tls_cert_file = /usr/local/etc/postfix/sec/fullchain.rsa.crt.pem
> smtpd_tls_eccert_file = /usr/local/etc/postfix/sec/fullchain.ec.crt.pem
> smtpd_tls_eckey_file = /usr/local/etc/postfix/sec/priv.ec.key
> smtpd_tls_key_file = /usr/local/etc/postfix/sec/priv.rsa.key
>
> cert verification FAILs
>
> posttls-finger -cC -lsecure '[mx.example.com]'
> posttls-finger: certificate verification failed for
> mx.example.com[XX.XX.XX.3]:25: untrusted issuer /O=Digital Signature Trust
> Co./CN=DST Root CA X3
> ...
This is expected, you haven't specified a CAfile with "-F filename" and
the default is to not trust any CAs.
Only "-l dane" can produce a "Verified" result with no explicit trust
anchors in the Postfix configuration, and only of course if the nexthop
domain is DNSSEC-signed, and the SMTP server has usable TLSA records.
The actual trust-anchor (root zone KSK) is configured in your local
validating resolver.
--
Viktor.
