Prev-20 Home Next-20 3 msg GSSAPI 2 msg Exit Code to Soft Bounce 2 msg Sasl auth 10 msg odd message 2 msg rule for bypass fillter like clamsmtp for only ... 4 msg Weird problem with SPF 9 msg Pull Variables From Master.cf 7 msg Open Relay 3 msg Hanging Pipe/Maildrop Processes? 2 msg TLS connection established from unknown 4 msg Maildir size limit 3 msg Re: Virtual domain confusion 13 msg Paid enhancement request... anyone? 8 msg Hosting muliple domains - same box (virtual or ... 2 msg Queue 4 msg Sender Restrictions on Old Mailserver with New ... 1 msg trusting a leaf certificate only but not the co... smtp_tls_security_level: how to enforce a certi... \ hauser (21 Nov 2006) . \ Victor Duchovni (21 Nov 2006) . . \ Ralf Hauser (21 Nov 2006) . . . \ Victor Duchovni (21 Nov 2006) . . . . \ Ralf Hauser (21 Nov 2006) . . . . . \ Victor Duchovni (21 Nov 2006) . . . . . . \ Ralf Hauser (22 Nov 2006) . . . . . . . \ Victor Duchovni (22 Nov 2006) . . . . . . . . \ Ralf Hauser (23 Nov 2006) . . . . . . . . . \ Victor Duchovni (23 Nov 2006) . \ Victor Duchovni (9 Dec 2006) . . \ (Wietse Venema) (10 Dec 2006) 5 msg Blocking Forged Received: Headers 7 msg header_checks question Prev-20 Home Next-20

Prev-Msg Prev-Thread Postfix-users Nov-2006 Next-Thread Next-Msg Subject: smtp_tls_security_level: how to enforce a certificate respectively a private decryption key for a domain without caring about the peername and DNS Group: Postfix-users From: hauser Date: 21 Nov 2006 Hi, To some destinations, I want to enforce my postfix using a certain TLS certificate without peer name verification. So, "encrypt" is probably not good enough since it appears to take any certificate presented by the server (or man in the middle MITM)? "verify" and "secure" tighten the DNS part, but it appears to me that this creates administration overhead with not that much security gained. My destination is run by an ISP that hosts many domains and doesn't have a certificate for each one. So, when setting "secure", I am getting <<Nov 21 03:25:17 sig1 postfix/smtp[15890]: certificate peer name verification failed for nexthop=domain.com, host=host.ispdomain.tld: CommonName mis-match: *. ispdomain.tld Nov 21 03:25:17 sig1 postfix/smtp[15890]: Server certificate could not be verified for host.ispdomain.tld: hostname mismatch>> Perhaps with smtp_tls_secure_cert_match I could fix the above, but I would like to give them more flexibility. I want them to be able to move the recipient domain from one of their hosts to another one and since they have multiple domain names, I don't even care if they change the domain and tld too. So, as long as my postfix can encrypt the traffic to "domain.com" with a certificate that can only be decrypted with one given private key at the receiving end, I am fine and don't want to be bothered by common name/DNS acrobatics the ISP admins may do in the meantime. Is that possible with the current settings? Ralf P.S.: Thinking that "domain-private decryption key" approach further, I am even willing to accept them changing the certificate as long as the public key inside these certificates remains the same. For the non self-signed case, doing that will a repudiated CA still would allow to check CRLs/OCSP. Prev-Msg Prev-Thread Postfix-users Nov-2006 Next-Thread Next-Msg

© 2004-2010 readlist.com