[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bendel.debian.org untrusted certificate


On 12/3/23 12:29, Jeremy Ardley wrote:


On 12/3/23 08:48, jeremy ardley wrote:
Received: from edge.bronzemail.com (2403-5800-c000-1b7-f3d4-d970-ca28-bf4f.ip6.aussiebb.net [IPv6:2403:5800:c000:1b7:f3d4:d970:ca28:bf4f]) 
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
     key-exchange X25519 server-signature RSA-PSS (2048 bits)
     client-signature RSA-PSS (2048 bits))
    (Client CN "edge.bronzemail.com", Issuer "R3" (not verified))
    by mail.bronzemail.com (Postfix) with ESMTPS id 48D60860222
    for <jeremy@ardley.org>; Sun, 12 Mar 2023 08:41:44 +0800 (AWST)


Jeremy
I have found that correcting my main.cf to use the correct directory and ca bundle improves things 

smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
Received: from edge.bronzemail.com (2403-5800-c000-1b7-f3d4-d970-ca28-bf4f.ip6.aussiebb.net [IPv6:2403:5800:c000:1b7:f3d4:d970:ca28:bf4f]) 
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
     key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 
     client-signature RSA-PSS (2048 bits) client-digest SHA256)
    (Client CN "edge.bronzemail.com", Issuer "R3" (verified OK))
    by mail.bronzemail.com (Postfix) with ESMTPS id A883C860225
    for <jeremy@ardley.org>; Sun, 12 Mar 2023 12:25:12 +0800 (AWST)
Received: from mail-pg1-f175.google.com (mail-pg1-f175.google.com [209.85.215.175]) 
    (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
     key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 
     client-signature RSA-PSS (2048 bits) client-digest SHA256)
    (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
    by edge.bronzemail.com (Postfix) with ESMTPS id 70CF54037F
    for <jeremy@ardley.org>; Sun, 12 Mar 2023 12:25:11 +0800 (AWST)
Slightly off topic I found these files. They seem to not be used as they aren't links to /usr/share/ca-certificates/mozilla/* 

/etc/ssl/certs/dhparam.pem
/etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.pem
/etc/ssl/certs/ca-certificates.crt
/etc/ssl/certs/635ccfd5.0
/etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/certs/add67345.0
/etc/ssl/certs/0c31d5ce
/etc/ssl/certs/f081611a.1
/etc/ssl/certs/7651b327.1
/etc/ssl/certs/c19d42c7.0
/etc/ssl/certs/bcdd5959.0
/etc/ssl/certs/1c7314a2
/etc/ssl/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.pem
/etc/ssl/certs/NetLock_Notary_=Class_A=_Root.pem
/etc/ssl/certs/d64f06f3.0
/etc/ssl/certs/NetLock_Business_=Class_B=_Root.pem
/etc/ssl/certs/97552d04.0
/etc/ssl/certs/Sonera_Class_1_Root_CA.pem
/etc/ssl/certs/cdaebb72.0
/etc/ssl/certs/6554cdcf.0
/etc/ssl/certs/Staat_der_Nederlanden_Root_CA.pem
/etc/ssl/certs/72fa7371.0
/etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_2.pem
/etc/ssl/certs/NetLock_Qualified_=Class_QA=_Root.pem
/etc/ssl/certs/UbuntuOne-Go_Daddy_CA.pem
/etc/ssl/certs/NetLock_Express_=Class_C=_Root.pem
/etc/ssl/certs/415660c1.1
/etc/ssl/certs/755f7420.0
/etc/ssl/certs/UbuntuOne-Go_Daddy_Class_2_CA.pem
/etc/ssl/certs/8317b10c.0
/etc/ssl/certs/UbuntuOne-ValiCert_Class_2_VA.pem
/etc/ssl/certs/5a5372fc.0
/etc/ssl/certs/CA_Disig.pem

is it safe to remove them?

--
Jeremy
(Lists)
Reply to: