On Wed, Jan 19, 2022 at 04:21:13PM -0500, PGNet Dev wrote:

> following along & just curious, i checked a postfix 3.6.3 here that's using 
> LetsEncrypt certs, where conf includes
> 
>       smtpd_tls_cert_file = /usr/local/etc/postfix/sec/fullchain.rsa.crt.pem
>       smtpd_tls_eccert_file = /usr/local/etc/postfix/sec/fullchain.ec.crt.pem
>       smtpd_tls_eckey_file = /usr/local/etc/postfix/sec/priv.ec.key
>       smtpd_tls_key_file = /usr/local/etc/postfix/sec/priv.rsa.key
> 
> cert verification FAILs
> 
>       posttls-finger -cC -lsecure '[mx.example.com]'
>               posttls-finger: certificate verification failed for 
> mx.example.com[XX.XX.XX.3]:25: untrusted issuer /O=Digital Signature Trust 
> Co./CN=DST Root CA X3
>               ...

This is expected, you haven't specified a CAfile with "-F filename" and
the default is to not trust any CAs.

Only "-l dane" can produce a "Verified" result with no explicit trust
anchors in the Postfix configuration, and only of course if the nexthop
domain is DNSSEC-signed, and the SMTP server has usable TLSA records.
The actual trust-anchor (root zone KSK) is configured in your local
validating resolver.

-- 
    Viktor.

Reply via email to