On 4/18/21 2:39 PM, Wietse Venema wrote: > Demi Marie Obenour: >>>> It seems that There are knobs that let you list *individual certs* for >>>> allowing trusted relaying, but not *individual ca's*. >>>> >>>> Is there any way around this? >>> >>> Yes: handle that traffic with a dedicated smtpd instance that only >>> trusts your internal root. >>> >>> Postfix check_ccert_access currently supports matches based on >>> certificate fingerprint and public key fingerprint. The other >>> available attributes, issuer name and subject name, are too soft >>> for security decisions. >> >> Would it be possible to support trusting based on subject alt name? >> I would like a machine with a certificate for a.example.com to send >> mail from a.example.com domains. > > What is the trust model here? > > Wietse
Each system is issued a certificate for its own domain. Perhaps a better example would be email Subject Alternative Names. Demi
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
