TLS - Certificate not Trusted
in [Postfix]
|
From: Dennis Putnam on 11 Jan 2010 11:04 I'm just getting started with version 2.5.5 and TLS is different that my previous version. I have everything thing working except some email will not go out because of the error "delivery temporarily suspended: Server certificate not trusted." What parameter do I have wrong that requires trusted certificates? I want to enforce TLS but I don't care what certificate the receiver uses. Thanks. Dennis Putnam Sr. IT Systems Administrator AIM Systems, Inc. 11675 Rainwater Dr., Suite 200 Alpharetta, GA 30009 Phone: 678-240-4112 Main Phone: 678-297-0700 FAX: 678-297-2666 or 770-576-1000 The information contained in this e-mail and any attachments is strictly confidential. If you are not the intended recipient, any use, dissemination, distribution, or duplication of any part of this e-mail or any attachment is prohibited. If you are not the intended recipient, please notify the sender by return e-mail and delete all copies, including the attachments.
From: Dennis Putnam on 11 Jan 2010 11:27 Hi Chris, Thanks for the reply. Please see embedded comments. On Jan 11, 2010, at 11:11 AM, Christoph Anton Mitterer wrote: > On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote: >> I want to enforce TLS but I don't care what certificate the receiver >> uses. Thanks. > Apart from the fact that enforcing TLS with SMTP is usually a bad idea, > setting the > smtp_tls_security_level = encrypt > should usually do what you mean, enforce TLS with the remote SMTP > server, but accept untrusted certs or even those with a wrong name. I don't get to choose, I just have to do it. How these parameters work is still a little confusing to me. I have smtpd and smtp security levels set to 'may.' What I am trying to do it set up opportunistic TLS except for specific hosts that I need to enforce (smtp_tls_per_site). What I noticed is that this one site was using Thawte as the signing authority. I tried adding their root certificate to my config and now the error has changed to a warning about untrusted TLS connection but the mail seems to be moving now. Did I stumble on to a fix or am I still missing something? > > >> The information contained in this e-mail and any attachments is >> strictly confidential. If you are not the intended recipient, any use, >> dissemination, distribution, or duplication of any part of this e-mail >> or any attachment is prohibited. If you are not the intended >> recipient, please notify the sender by return e-mail and delete all >> copies, including the attachments. > There is (at least in most countries) no legal ground for so called > "disclaimers".... and they're quite stupid and annoying when sending > them to public mailing lists. I am quite familiar with the arguments but again it is not my choice. If you want, I can give you the number of our corporate lawyers and you can try to convince them. Perhaps you will have better luck than me. :-) > > > > Cheers, > Chris. Dennis Putnam Sr. IT Systems Administrator AIM Systems, Inc. 11675 Rainwater Dr., Suite 200 Alpharetta, GA 30009 Phone: 678-240-4112 Main Phone: 678-297-0700 FAX: 678-297-2666 or 770-576-1000 The information contained in this e-mail and any attachments is strictly confidential. If you are not the intended recipient, any use, dissemination, distribution, or duplication of any part of this e-mail or any attachment is prohibited. If you are not the intended recipient, please notify the sender by return e-mail and delete all copies, including the attachments.
From: Dennis Putnam on 11 Jan 2010 11:38 Upon further investigation, apparently mail is not moving. There seems to be 2 domains associated with this site but I was only asked to enforce TLS on one of them. That is why it appeared to be working. Getting back to Chris' comments, I think setting the security level to 'encrypt' forces everything to be TLS and that will not work. I need it to work as I previously described. On Jan 11, 2010, at 11:27 AM, Dennis Putnam wrote: > Hi Chris, > > Thanks for the reply. Please see embedded comments. > > On Jan 11, 2010, at 11:11 AM, Christoph Anton Mitterer wrote: > >> On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote: >>> I want to enforce TLS but I don't care what certificate the receiver >>> uses. Thanks. >> Apart from the fact that enforcing TLS with SMTP is usually a bad idea, >> setting the >> smtp_tls_security_level = encrypt >> should usually do what you mean, enforce TLS with the remote SMTP >> server, but accept untrusted certs or even those with a wrong name. > > I don't get to choose, I just have to do it. How these parameters work is still a little confusing to me. I have smtpd and smtp security levels set to 'may.' What I am trying to do it set up opportunistic TLS except for specific hosts that I need to enforce (smtp_tls_per_site). What I noticed is that this one site was using Thawte as the signing authority. I tried adding their root certificate to my config and now the error has changed to a warning about untrusted TLS connection but the mail seems to be moving now. Did I stumble on to a fix or am I still missing something? > >> >> >>> The information contained in this e-mail and any attachments is >>> strictly confidential. If you are not the intended recipient, any use, >>> dissemination, distribution, or duplication of any part of this e-mail >>> or any attachment is prohibited. If you are not the intended >>> recipient, please notify the sender by return e-mail and delete all >>> copies, including the attachments. >> There is (at least in most countries) no legal ground for so called >> "disclaimers".... and they're quite stupid and annoying when sending >> them to public mailing lists. > > I am quite familiar with the arguments but again it is not my choice. If you want, I can give you the number of our corporate lawyers and you can try to convince them. Perhaps you will have better luck than me. :-) > >> >> >> >> Cheers, >> Chris. > > > > Dennis Putnam > Sr. IT Systems Administrator > > AIM Systems, Inc. > 11675 Rainwater Dr., Suite 200 > Alpharetta, GA 30009 > Phone: 678-240-4112 > Main Phone: 678-297-0700 > FAX: 678-297-2666 or 770-576-1000 > The information contained in this e-mail and any attachments is strictly confidential. If you are not the intended recipient, any use, dissemination, distribution, or duplication of any part of this e-mail or any attachment is prohibited. If you are not the intended recipient, please notify the sender by return e-mail and delete all copies, including the attachments. > > > Dennis Putnam Sr. IT Systems Administrator AIM Systems, Inc. 11675 Rainwater Dr., Suite 200 Alpharetta, GA 30009 Phone: 678-240-4112 Main Phone: 678-297-0700 FAX: 678-297-2666 or 770-576-1000 The information contained in this e-mail and any attachments is strictly confidential. If you are not the intended recipient, any use, dissemination, distribution, or duplication of any part of this e-mail or any attachment is prohibited. If you are not the intended recipient, please notify the sender by return e-mail and delete all copies, including the attachments.
From: Noah Sheppard on 11 Jan 2010 11:53 > >> On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote: > >>> I want to enforce TLS but I don't care what certificate the receiver > >>> uses. Thanks. > >> Apart from the fact that enforcing TLS with SMTP is usually a bad idea, > >> [..] Why is TLS w/ SMTP a bad idea? -- Noah Sheppard Assistant Computer Resource Manager Taylor University CSE Department nsheppar(a)cse.taylor.edu
From: /dev/rob0 on 11 Jan 2010 12:02 On Mon, Jan 11, 2010 at 11:53:35AM -0500, Noah Sheppard wrote: [attribution to Chris is missing] > > >> On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote: > > >>> I want to enforce TLS but I don't care what certificate the > > >>> receiver uses. Thanks. > > >> Apart from the fact that enforcing TLS with SMTP is usually a > > >> bad idea, [..] > > Why is TLS w/ SMTP a bad idea? TLS with SMTP is a fine idea. *Enforcing* TLS with SMTP is usually a bad idea. Many sites might not support it, and if you require TLS, you cannot get their mail nor send to them. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
|
Next
|
Last
Pages: 1 2 Prev: reject_authenticated_sender_login_mismatch Next: Sender based relay server |