295782Re: submission by cert verification only
- Oct 7, 2013On 2013-10-06 23:13, Viktor Dukhovni wrote:
> On Sun, Oct 06, 2013 at 08:52:06PM -0400, Dan Langille wrote:I am not using SASL at all.
> [ What Noel said, plus see below. ]
> 10.0.0.1:submission inet n - n - - smtpd
> -o smtpd_tls_req_ccert=yes
> -o smtpd_tls_auth_only=no
> This seems silly. Since authentication gets them nowhere, why
> allow plaintext password leaks? Just disable SASL period.
> -o smtpd_tls_ask_ccert=yesRemoved.
> This is implied by req_ccert.
> -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crtRemoved.
> This is an SMTP client parameter that serves no purpose here.
> -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crtFYI: this is the bundle from the CA which issued the certificate in
> This is a bad idea. Instead set this to an empty file. The list
> of all the CA DNs from this file is sent to the client, but your
> clients probably don't need CA hints. Otherwise make this is a
> small list of one or two suitable CAs that issue the certificates
> which are admitted via the relay certs file. You should your digest
> algorithm explicitly (sha1 or better if available as with OpenSSL
> 1.0.0 or later or the most recent Postfix patches that make sha256
> available with older OpenSSL releases).
question. Prior attempts with a smaller list failed.
> # cat /usr/local/etc/postfix-config/main/relay_clientcertsIt is indeed MD5. I've changed to sha1 and obtained the new fingerprint
> 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org
> This looks like md5, and while still largely resistant to 2nd
> preimage attacks, you should still avoid it.
openssl x509 -noout -in cliff.example.org.crt -fingerprint
Thank you. Much appreciated.
Dan Langille - http://langille.org/
- << Previous post in topic Next post in topic >>