also sprach Wietse Venema <wie...@porcupine.org> [2017-09-17 17:26 +0200]: > > > 2) Use a new check_certname_access feature to reject out-of-doman > > > names. Postfix should not make 'allow' decisions based on name > > > information in a certificate with an untrusted CA. > > Any CA that is not in smtpd_tls_CA_file. I see no harm in allowing > 'reject' decisions based on the name in a certificate from an unknown > CA.
If a client connects to the submission port and presents a certificate that is not from a trusted CA, then check_certname_access obviously can't make an authoritative decision, and the client will most likely end up in some "reject" later on in the restriction list. I.e. I think in that case, check_certname_access should always return DUNNO. If a client connects and presents a certificate from a CA listed in smtpd_tls_CA_file, then I don't see a reason why the new check_certname_access shouldn't be able to cast an "OK" and thereby permit accepting/relaying of the message. I hope we're not talking past each other. -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ remember, half the people are below average. spamtraps: madduck.bo...@madduck.net
digital_signature_gpg.asc
Description: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)