On Wed, Jan 19, 2022 at 04:21:13PM -0500, PGNet Dev wrote: > following along & just curious, i checked a postfix 3.6.3 here that's using > LetsEncrypt certs, where conf includes > > smtpd_tls_cert_file = /usr/local/etc/postfix/sec/fullchain.rsa.crt.pem > smtpd_tls_eccert_file = /usr/local/etc/postfix/sec/fullchain.ec.crt.pem > smtpd_tls_eckey_file = /usr/local/etc/postfix/sec/priv.ec.key > smtpd_tls_key_file = /usr/local/etc/postfix/sec/priv.rsa.key > > cert verification FAILs > > posttls-finger -cC -lsecure '[mx.example.com]' > posttls-finger: certificate verification failed for > mx.example.com[XX.XX.XX.3]:25: untrusted issuer /O=Digital Signature Trust > Co./CN=DST Root CA X3 > ...
This is expected, you haven't specified a CAfile with "-F filename" and the default is to not trust any CAs. Only "-l dane" can produce a "Verified" result with no explicit trust anchors in the Postfix configuration, and only of course if the nexthop domain is DNSSEC-signed, and the SMTP server has usable TLSA records. The actual trust-anchor (root zone KSK) is configured in your local validating resolver. -- Viktor.