 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev-Msg | Prev-Thread | Postfix-users | Mar-2008 | Next-Thread | Next-Msg |
| Subject: | Re: Config ok for TLS/SASL/Client Cert via port 587? |
| Group: | Postfix-users |
| From: | Patrick |
| Date: | 13 Mar 2008 |
On Wed, 2008-03-12 at 14:29 -0400, Victor Duchovni wrote:
> On Wed, Mar 12, 2008 at 06:32:41PM +0100, Patrick wrote:
>
> > If it takes only some effort to setup 2 layers of security then why not?
>
> Only useful if the layers are independent. If they fail together, there is
> not much value.
I see your point that if both layers depend on the same mechanism then a
second layer will not help. Thanks for pointing that out.
> If your client host is 0wned, the attacker gets both your client cert and
> your password. The client cert key is stronger, so go with that and skip
> SASL.
Ok.
> If somehow the attacker gets the physical machine, but not your password,
> you can remove the compromised fingerprint from the access table, you
> are probably more worried about the stolen data than relay rights...
Stolen data is indeed the biggest threat but getting blacklisted because
of relaying is not something I look forward to either. I like your idea
of just removing the fingerprint and be done with it.
> > In the mean time I have tried to get this working with Evolution and the
> > config below but I only get the error below. Maybe Evolution does not
> > support certificate authentication.
> >
> > Mar 12 18:19:37 server postfix/smtpd[13294]: warning: TLS library
> > problem: 13294:error:140890C7:SSL
> > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a
> > certificate:s3_srvr.c:2458:
> >
> I am afraid that is not a Postfix question.
Indeed it isn't. Was just some info for the archives in case someone
else bumps into this issue.
Thanks for your feedback. Most appreciated.
Regards,
Patrick
| Prev-Msg | Prev-Thread | Postfix-users | Mar-2008 | Next-Thread | Next-Msg |