also sprach Wietse Venema <wie...@porcupine.org> [2017-09-17 16:34 +0200]: > 1) Use smtpd_tls_CA_file to trust ONLY the letsencrypt CA.
Right, especially since I could set this only for the smtpd handling submissions and need not impose this setting on regular port 25 SMTP connections. I suppose it would get difficult if there was more than one issuing CA, but that's probably a rare case, if at all. > 2) Use a new check_certname_access feature to reject out-of-doman > names. Postfix should not make 'allow' decisions based on name > information in a certificate with an untrusted CA. Why do you consider the CA untrusted? Isn't that the whole point of the smtpd_tls_CA_file setting? Am I not making the statement "I trust the certificates issued by this CA to have reliable CNs" by specifying smtpd_tls_CA_file in our scenario? If Postfix couldn't issue "allow" based on check_certname_access, then the logic would have to be: check_certname_access (reject if !.example.org) permit which IMHO is backwards and not any more secure than check_certname_access (permit if .example.org) reject … unless you had something else in mind to issue that "permit" in the first example? -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ it is better to remain silent and be thought a fool than to open one's mouth and remove all doubt. spamtraps: madduck.bo...@madduck.net
digital_signature_gpg.asc
Description: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)