Osama Al-Hassani: > Yes. And we are using DNS SANs, but in some scenarios we need to verify > against the IP address. > > > We can do this, if the IP address is present in the CN but not SANs. Is > there a reason for the difference in behaviour? > > Thanks, > Osama > > -----Original Message----- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Viktor Dukhovni > Sent: 15 June 2017 01:33 > To: postfix-users@postfix.org > Subject: Re: Outbound TLS Certificate Verification > > On Wed, Jun 14, 2017 at 09:12:20PM +0000, Osama Al-Hassani wrote: > > > When verifying server certificates on outbound connections, it seems > > we are unable verify the IP addresses part of the SANs field. We are > > able to verify IPs in CNs. > > Email is sent to addresses of the form <local-part@domain-part>, where the > "domain-part" is DNS domain, not an IP address. The SMTP server is either an > MX host, or the domain itself, in the absence > of MX records. Bare IP addresses are not valid in MX records. > Most mail systems will not accept email to addresses of the form > <local-part@[NNN.NNN.NNN.NNN]> (ip-addres domain-literals). > > > What is the reasoning behind this behaviour? > > No useful security results from verifying IP addresses in certificates for > TLS connections to DNS hosts. Certificates with IP addresses are for IPsec, > not for TLS with SMTP. > > Postfix supports DNS subject alternative names: > > https://www.postfix.org/TLS_README.html#client_tls_secure > https://www.postfix.org/TLS_README.html#client_tls_dane
Which Postfix SMTP client implementation matches server certificates against server IP addresses? Wietse