3

I can't figure out how to get Trusted TLS connections between my primary mail server (mail.sfnet.it) and mail exchanger (mx.sfnet.it) They both use Postfix as MTA and they both have a PositiveSSL certificate installed and everything seems to work well, except for trusted handshake. I've set CA path, reconfigured package, but nothing to do. Any idea?

Postfix log says:

postfix/smtp[20689]: Untrusted TLS connection established to mail.sfnet.it[94.23.65.191]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
sanmai
  • 29,083
  • 12
  • 64
  • 76
Andrea Lunelio
  • 61
  • 1
  • 5

3 Answers3

4

It may be necessarily to specify a path to trusted certificates with smtp_tls_CApath:

smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_CApath = /etc/ssl/certs
sanmai
  • 29,083
  • 12
  • 64
  • 76
0

Can you check if the certificate is correctly installed for mail.sfnet.it on the smtp port? SSL Labs (https://www.ssllabs.com/ssltest/analyze.html?d=mail.sfnet.it&hideResults=on) indicates that the server's certificate is untrusted (self-signed) on 443 and I suspect it may be the same on the smtp port as well.

Anand Bhat
  • 5,591
  • 26
  • 30
  • I've set mail.sfnet.it as virtualhost with right certificate and now ssllabs.com test works as expected. You can check smtp ssl with openssl: `code`openssl s_client -connect mail.sfnet.it:587 -starttls smtp`code` the shortened output is: SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 1E41A176E0D9AB6A7C912AE5FD78A9173F761C8E7303776EC98937E7E813CB5C Session-ID-ctx: Key-Arg : None Start Time: 1423132333 Timeout : 300 (sec) Verify return code: 0 (ok) – Andrea Lunelio Feb 05 '15 at 10:36
0

The connection is untrusted because the sender MTA doesn't recognize the CA that signed the recipient MTA's certificate. To make the MTAs trust each other's certificates, you have to install the CA certificate on both the MTAs. The installation process depends on what distro you are using. Here is an example for centOS.

You can get the CA certificate from the official positivessl site. Here is what I found.

Community
  • 1
  • 1
gixxer
  • 814
  • 1
  • 10
  • 25