From owner-freebsd-questions@FreeBSD.ORG  Fri Nov 18 09:34:54 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BA2A4106564A
	for <freebsd-questions@freebsd.org>;
	Fri, 18 Nov 2011 09:34:54 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78])
	by mx1.freebsd.org (Postfix) with ESMTP id 4AEDA8FC08
	for <freebsd-questions@freebsd.org>;
	Fri, 18 Nov 2011 09:34:54 +0000 (UTC)
Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk
	[81.187.76.163]) (authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id
	pAI9YoCE066435
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO)
	for <freebsd-questions@freebsd.org>; Fri, 18 Nov 2011 09:34:50 GMT
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: OpenDKIM Filter v2.4.1 smtp.infracaninophile.co.uk pAI9YoCE066435
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=infracaninophile.co.uk; s=201001-infracaninophile; t=1321608890;
	bh=NVF97mdBvuwWlltDohMrejDJDBPkLRYxaKF68MKeGFc=;
	h=Message-ID:Date:From:MIME-Version:To:Subject:References:
	In-Reply-To:Content-Type:Cc;
	b=zX4U7Fe/RvbrP9ikAsxkDLS+xdJpi7JXtNM9HYThoztUQrH+uI9F69kMN4HsPPGHk
	bwfuCAt2A8jeQy/sJzO02LKz7gmGQe29nz5yWrTNhwwDdQNNx11vka+R2UDps8pKap
	q8jySyfYm//IguI0HgncjcnKRQgAIosZ8IPNJNuQ=
Message-ID: <4EC626B1.70506@infracaninophile.co.uk>
Date: Fri, 18 Nov 2011 09:34:41 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
	rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <20111118081229.GA1068@tiny> <4EC62CD8.7090305@gmail.com>
In-Reply-To: <4EC62CD8.7090305@gmail.com>
X-Enigmail-Version: 1.3.3
OpenPGP: id=60AE908C
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enig9CECCC504245D643350CF544"
X-Virus-Scanned: clamav-milter 0.97.3 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_40,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	lucid-nonsense.infracaninophile.co.uk
Subject: Re: sendmail+saslauthd && verify=FAIL
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Nov 2011 09:34:54 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig9CECCC504245D643350CF544
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 18/11/2011 10:00, Edward Martinez wrote:
> On 11/18/11 00:12, Matthias Apitz wrote:
>> STARTTLS=3Dclient, relay=3Dsmtp.1blu.de., version=3DTLSv1/SSLv3, verif=
y=3DFAIL
>>
>> se below; what does the FAIL means exactly?
>>
>    I have been reading on the subject and it appears you do not trust
> the certificate
> issuer for   smtp.lblu.de.

Which is pretty much normal for SSL certs used for mail transfer.  Most
mail servers use a self-signed certificate, because the important point
is not to verify the identity of the other party but to protect the
messages in transit against snooping.  All that requires is a secure
means of agreeing a symmetric session key between both parties, and the
TLS handshake is the best available way of doing that.

Verifying SSL keys between MTAs is mostly useful only within one
organisation where the keys can be issued from one central authority, or
between a group of tightly integrated organisations.

With the advent of DNSSEC and things like the DANE project
(https://tools.ietf.org/html/draft-ietf-dane-protocol-12) that might
change, but DNSSEC adoption is too patchy yet for it to be effective.

	Cheers,

	Matthew


--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enig9CECCC504245D643350CF544
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7GJrkACgkQ8Mjk52CukIx1BwCeP08rQ7SpMsljli0k0FtmvUig
S3sAn2dEmtHD50KErRXow5U61Rjv2hlU
=116Q
-----END PGP SIGNATURE-----

--------------enig9CECCC504245D643350CF544--