I'd like to relay outgoing email from my MTA through a 3rd party server (outbound.mailhop.org) for final delivery. I'm wondering how to make the secure connection between the machines 'trusted'. This is the relevant part of my current Postfix configuration:
smtp_use_tls = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/relay
relayhost = [outbound.mailhop.org]
When I send a test message I get, from the mail logs,
Untrusted TLS connection established to outbound.mailhop.org[54.186.218.12]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
How can I make that connection 'trusted'?
Best Answer
Okay so from the comments I deduce that you want a "trusted" connection, even though you don't know what "trusted" means in the first place. Well, to keep it simple, it means that you claim you know who you are talking to.
You can look at their certificate and its chain. You don't need to ask them, since their certificate is public information. Best practice would recommend that you ask them if the certificate you get when connecting is really their certificate by having them verify the fingerprint over the phone or alike. For further details please read up on the subject.
If the root CA their certificate is signed with comes from a public CA, then putting that root CA into the file would mean you trust everyone with a certificate signed by that root CA. If that is not what you want and you really only want to trust them and nobody else, then you could use the
smtp_tls_trust_anchor_fileoption.If you only ever talk to that relay, you can/should use
smtp_tls_security_level=encryptsince it won't fall back to a plaintext connection, and either the connection will be encrypted or the connection will fail.As stated in the comments you should also refrain from using
smtp_use_tlsif using Postfix 2.3 and above, as that command is deprecated. Simply usesmtp_tls_security_levelas outlined above.Finally, http://www.postfix.org/postconf.5.html is your friend.