Untrusted TLS connection established

Question

I can't figure out how to get Trusted TLS connections between my primary mail server (mail.sfnet.it) and mail exchanger (mx.sfnet.it) They both use Postfix as MTA and they both have a PositiveSSL certificate installed and everything seems to work well, except for trusted handshake. I've set CA path, reconfigured package, but nothing to do. Any idea?

Postfix log says:

postfix/smtp[20689]: Untrusted TLS connection established to mail.sfnet.it[94.23.65.191]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)

Answer 1

It may be necessarily to specify a path to trusted certificates with smtp_tls_CApath:

smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_CApath = /etc/ssl/certs

Answer 2

The connection is untrusted because the sender MTA doesn't recognize the CA that signed the recipient MTA's certificate. To make the MTAs trust each other's certificates, you have to install the CA certificate on both the MTAs. The installation process depends on what distro you are using. Here is an example for centOS.

You can get the CA certificate from the official positivessl site. Here is what I found.

Answer 3

Can you check if the certificate is correctly installed for mail.sfnet.it on the smtp port? SSL Labs (https://www.ssllabs.com/ssltest/analyze.html?d=mail.sfnet.it&hideResults=on) indicates that the server's certificate is untrusted (self-signed) on 443 and I suspect it may be the same on the smtp port as well.