TLS - Certificate not Trusted
in [Postfix]
|
From: Noel Jones on 11 Jan 2010 12:02 On 1/11/2010 10:38 AM, Dennis Putnam wrote: > Upon further investigation, apparently mail is not moving. There seems > to be 2 domains associated with this site but I was only asked to > enforce TLS on one of them. That is why it appeared to be working. > Getting back to Chris' comments, I think setting the security level to > 'encrypt' forces everything to be TLS and that will not work. I need it > to work as I previously described. Postfix client TLS settings are described in http://www.postfix.org/TLS_README.html#client_tls For a general-purpose MTA the main.cf setting should be "none" or "may". To force encryption for a specific recipient domain, see http://www.postfix.org/TLS_README.html#client_tls_policy If your mail is deferred due to certificate errors, this implies you're using a security level above "encrypt". Don't do that unless you have the proper root certificates installed. If you need more help, please refer to http://www.postfix.org/DEBUG_README.html#mail and show us your "postconf -n" output, any related policy map contents, and related logging. -- Noel Jones
From: Dennis Putnam on 11 Jan 2010 12:16 Hi Noel, Thanks. I thing you pointed me in the right direction. Am I correct that the per_site table is different under 2.5.5 than pre 2.3? I had trouble getting that to work on the old server so I didn't change it for the migration. What I have is: ..somedomain.com MUST I think it now can be a hash and should look like: [somedomain.com] encrypt Is that correct? I guessing the old 'MUST' is being interpreted as 'secure' in this version. On Jan 11, 2010, at 12:02 PM, Noel Jones wrote: > On 1/11/2010 10:38 AM, Dennis Putnam wrote: >> Upon further investigation, apparently mail is not moving. There seems >> to be 2 domains associated with this site but I was only asked to >> enforce TLS on one of them. That is why it appeared to be working. >> Getting back to Chris' comments, I think setting the security level to >> 'encrypt' forces everything to be TLS and that will not work. I need it >> to work as I previously described. > > Postfix client TLS settings are described in > http://www.postfix.org/TLS_README.html#client_tls > > For a general-purpose MTA the main.cf setting should be "none" or "may". To force encryption for a specific recipient domain, see > http://www.postfix.org/TLS_README.html#client_tls_policy > > If your mail is deferred due to certificate errors, this implies you're using a security level above "encrypt". Don't do that unless you have the proper root certificates installed. > > > If you need more help, please refer to > http://www.postfix.org/DEBUG_README.html#mail > and show us your "postconf -n" output, any related policy map contents, and related logging. > > -- Noel Jones > Dennis Putnam Sr. IT Systems Administrator AIM Systems, Inc. 11675 Rainwater Dr., Suite 200 Alpharetta, GA 30009 Phone: 678-240-4112 Main Phone: 678-297-0700 FAX: 678-297-2666 or 770-576-1000 The information contained in this e-mail and any attachments is strictly confidential. If you are not the intended recipient, any use, dissemination, distribution, or duplication of any part of this e-mail or any attachment is prohibited. If you are not the intended recipient, please notify the sender by return e-mail and delete all copies, including the attachments.
From: Noel Jones on 11 Jan 2010 12:36 On 1/11/2010 11:16 AM, Dennis Putnam wrote: > Hi Noel, > > Thanks. I thing you pointed me in the right direction. Am I correct that > the per_site table is different under 2.5.5 than pre 2.3? I had trouble > getting that to work on the old server so I didn't change it for the > migration. What I have is: > > .somedomain.com MUST > > I think it now can be a hash and should look like: > > [somedomain.com <http://somedomain.com>] encrypt > > Is that correct? I guessing the old 'MUST' is being interpreted as > 'secure' in this version. According to the example in http://www.postfix.org/TLS_README.html#client_tls_policy the policy table should contain somedomain.tld encrypt To include subdomains of somedomain.tld also include ..somedomain.tld encrypt -- Noel Jones
From: Victor Duchovni on 11 Jan 2010 14:08 On Mon, Jan 11, 2010 at 11:36:42AM -0600, Noel Jones wrote: > According to the example in > http://www.postfix.org/TLS_README.html#client_tls_policy > the policy table should contain > > somedomain.tld encrypt > > To include subdomains of somedomain.tld also include > > .somedomain.tld encrypt And only when one's transport table or relayhost specifies a nexthop of the form: [gateway.example.com] does the TLS policy table need an entry of the same form: [gateway.example.com] encrypt|secure|fingerprint ... For "[gateway]" nexthops there is no real difference between "secure" and "verify", both test for the same nexthop address, unless "match" values are specified explicitly. In retrospect, it an interface design error to provide both levels, just one would have been enough, with backwards compatibility for tls_per_site provided via different "match" values for "verify" not a different security level. Both, verify certificates using a slightly different default set of match values. :-( The "damage" is fairly minor... -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
From: LuKreme on 11 Jan 2010 14:13 On 11-Jan-2010, at 09:27, Dennis Putnam wrote: > I am quite familiar with the arguments but again it is not my choice. If you want, I can give you the number of our corporate lawyers and you can try to convince them. Perhaps you will have better luck than me. :-) I will be happy to email them daily links to publicly accessible web pages containing emails sent from that domain to a mailing list with that 'disclaimer' attached. I will use, disseminate, distribute, and republish any post with a disclaimer on it as a matter of course. -- INDIAN BURNS ARE NOT OUR CULTURAL HERITAGE Bart chalkboard Ep. 3F05
First
|
Prev
|
Pages: 1 2 Prev: reject_authenticated_sender_login_mismatch Next: Sender based relay server |