Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: openssl3+postfix issue (ca md too weak)
hello Ken. It may be that the RFC says the client need not present a valid certificate, but
I have found that smtp clients I manage that want to send mail to Microsoft managed domains
cannot set up an SSL encrypted smtp session unless the client presents a valid certificate as
part of the key negotiation process. This may be something they're doing in violation of the
RFC, but I found when I configured sendmail to present a valid certificate, one that could be
verified versus a self-signed certificate, mail which wasn't flowing began flowing again. Note
I'm not talking about an smtp-auth situation where an individual user is authenticating to a
smtp service, but rather server-to-server communications where two smtp MTA agents want to
exchange mail with each other.
-thanks
-Brian
On Nov 14, 9:30am, Ken Hornstein wrote:
} Subject: Re: openssl3+postfix issue (ca md too weak)
} > Hello Taylor. Just as a point of reference, smtp clients that
} >connect to domains hosted by Microsoft, i.e. outlook.com and any other
} >domains that use their infrastructure for e-mail, will have to present
} >a valid SSL certificate in order to submit mail to their smtp servers.
}
} I do not believe this statement is correct. My reading of RFC 8461
} is that all it says is that the _server_ has to have a valid certificate
} and says nothing about client certificates. In my limited experience
} configuring your SMTP _client_ to present a certificate is very very
} rare.
}
} --Ken
>-- End of excerpt from Ken Hornstein
Home |
Main Index |
Thread Index |
Old Index