Loading ...
Sorry, an error occurred while loading the content.

295775Re: submission by cert verification only

Expand Messages
  • Viktor Dukhovni
    Oct 6, 2013
      On Sun, Oct 06, 2013 at 08:52:06PM -0400, Dan Langille wrote:

      [ What Noel said, plus see below. ]

      > 10.0.0.1:submission inet n - n - - smtpd
      > -o smtpd_tls_req_ccert=yes

      Fine.

      > -o smtpd_tls_auth_only=no

      This seems silly. Since authentication gets them nowhere, why
      allow plaintext password leaks? Just disable SASL period.

      > -o smtpd_tls_ask_ccert=yes

      This is implied by req_ccert.

      > -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt

      This is an SMTP client parameter that serves no purpose here.

      > -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt

      This is a bad idea. Instead set this to an empty file. The list
      of all the CA DNs from this file is sent to the client, but your
      clients probably don't need CA hints. Otherwise make this is a
      small list of one or two suitable CAs that issue the certificates
      which are admitted via the relay certs file. You should your digest
      algorithm explicitly (sha1 or better if available as with OpenSSL
      1.0.0 or later or the most recent Postfix patches that make sha256
      available with older OpenSSL releases).

      > # cat /usr/local/etc/postfix-config/main/relay_clientcerts
      > 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org

      This looks like md5, and while still largely resistant to 2nd
      preimage attacks, you should still avoid it.

      --
      Viktor.
    • Show all 9 messages in this topic