martin f krafft:
> also sprach Wietse Venema <[email protected]> [2017-09-17 16:34 +0200]:
> > 1) Use smtpd_tls_CA_file to trust ONLY the letsencrypt CA.
>
> Right, especially since I could set this only for the smtpd handling
> submissions and need not impose this setting on regular port 25 SMTP
> connections.
>
> I suppose it would get difficult if there was more than one issuing
> CA, but that's probably a rare case, if at all.
>
> > 2) Use a new check_certname_access feature to reject out-of-doman
> > names. Postfix should not make 'allow' decisions based on name
> > information in a certificate with an untrusted CA.
Any CA that is not in smtpd_tls_CA_file. I see no harm in allowing
'reject' decisions based on the name in a certificate from an unknown
CA.
Wietse
