Osama Al-Hassani:
> Yes. And we are using DNS SANs, but in some scenarios we need to verify
> against the IP address.
>
>
> We can do this, if the IP address is present in the CN but not SANs. Is
> there a reason for the difference in behaviour?
>
> Thanks,
> Osama
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of Viktor Dukhovni
> Sent: 15 June 2017 01:33
> To: [email protected]
> Subject: Re: Outbound TLS Certificate Verification
>
> On Wed, Jun 14, 2017 at 09:12:20PM +0000, Osama Al-Hassani wrote:
>
> > When verifying server certificates on outbound connections, it seems
> > we are unable verify the IP addresses part of the SANs field. We are
> > able to verify IPs in CNs.
>
> Email is sent to addresses of the form <local-part@domain-part>, where the
> "domain-part" is DNS domain, not an IP address. The SMTP server is either an
> MX host, or the domain itself, in the absence
> of MX records. Bare IP addresses are not valid in MX records.
> Most mail systems will not accept email to addresses of the form
> <local-part@[NNN.NNN.NNN.NNN]> (ip-addres domain-literals).
>
> > What is the reasoning behind this behaviour?
>
> No useful security results from verifying IP addresses in certificates for
> TLS connections to DNS hosts. Certificates with IP addresses are for IPsec,
> not for TLS with SMTP.
>
> Postfix supports DNS subject alternative names:
>
> https://www.postfix.org/TLS_README.html#client_tls_secure
> https://www.postfix.org/TLS_README.html#client_tls_dane
Which Postfix SMTP client implementation matches server certificates
against server IP addresses?
Wietse
