SMTP Untrusted TLS connection still sending emails

by

When sending mail from my client through a mail server that is then using AWS SES as a mail relay I’m seeing this in the postfix log as each message moves through:

smtp: Untrusted TLS connection established to email-smtp.us-west-1.amazonaws.com[13.57.144.53]:587: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
smtp: D34E420866249C: to=<recipient@domain.tld>, relay=email-smtp.us-west-1.amazonaws.com[13.57.144.53]:587, delay=0.81, delays=0/0.11/0.52/0.17, dsn=2.0.0, status=sent (250 Ok 0111017774953167-f6df400f-aa87-43ab-8ca6-6c5534c50e17-000000)

If the connection is “untrusted” but SES requires TLS (which is set up, though perhaps not correctly) for security why are messages still sent on.

Things are working… I’m just surprised that they are.

I followed AWS’s SES with Postfix docs. Main difference with my setup is I couldn’t use smtp_tls_security_level = encrypt, as suggested, because that was blocking inbound smtpd transactions. Setting it back to smtp_tls_security_level = may gets the mail through but logs say smtp is “untrusted” even though connection seems to succeed?!? Not sure if these are related but that’s all I got.

Anything I can fix/improve?

Answer

In TLS the term “untrusted” is not the same as “not encrypted“. As you can see from the subsequent cipher and key strength in your log the communication is encrypted.

In TLS the trust relates to how to verify that the certificates used actually belong to the entity that presents them.
You can still use a certificate when you don’t verify it or when verification fails (if you want to).

————————

The postfix TLS manual: http://www.postfix.org/TLS_README.html excerpt :

To verify a remote SMTP client certificate, the Postfix SMTP server needs to trust the certificates of the issuing Certification Authorities. These certificates in “PEM” format can be stored in a single $smtpd_tls_CAfile or in multiple files, one CA per file in the $smtpd_tls_CApathdirectory. If you use a directory, don’t forget to create the necessary “hash” links with:

# $OPENSSL_HOME/bin/c_rehash /path/to/directory

The $smtpd_tls_CAfile contains the CA certificates of one or more trusted CAs. The file is opened (with root privileges) before Postfix enters the optional chroot jail and so need not be accessible from inside the chroot jail.

Additional trusted CAs can be specified via the $smtpd_tls_CApath directory

Attribution
Source : Link , Question Author : Meltemi , Answer Author : Bob

Leave a Comment