Well being a bored ape one day i decide to test user certificates in postfix not simply three extra lines to enable tls support in postfix which requires more steps with some hairy eyeballs on the postfix tls support document.
8 Anonymous: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
1 Untrusted: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
That is a self certified tls with ‘Untrusted’. Signed tls (eg bought) it seems impossible to issue client certificates like you can with self signed ssl. so it seems unlikely that i will ever get ‘Trusted’. The setiing ‘Anonymous’ is dane tls in default.
Bloody mafia (my blog).
Self certified user certs are nice if a little extra mile and something that does need a mammal at a keyboard. So it sort of explains why it is not popular although our friends at the nsa (my blog) probably helped.
No wonder user certificates (opposed to server instances) are missing from most postfix setups and even Google get untrusted status.
Received: from mail-*.google.com (unknown [ip])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (not verified))
by mail2.zoo (Postfix) with ESMTPS id x
So dane will only get you so far.The mafia wont help either.
DSN’s are a handled oddly too. example
postfix/smtp[x]: xyz: to=<553@zoo>, relay=zoo[ip.addr]:25, delay=x, delays=1018/0.01/0.09/0, dsn=4.7.5, status=deferred (Server certificate not verified)
which in postfix is classed as
4.7.5: Transient failure: Security/policy status: Cryptographic failure