On Thu, May 12, 2016, Jeffry Dwight wrote:
> Is it even worth checking the cert chain at all?
Sure, if you want to enable further requirements.
For example, I use something like this:
smtpc_rcpt_conf:@$IMPORTANTDOMAIN tls_requirements { flags={verified};
cipher_bits_min=256; hostnames = { .$IMPORTANTDOMAIN }; }
for some domains; so without checking the cert the "verified"
requirement would never be fulfilled.
Depending on your MTA, you can specify other requirements based on
your needs/out of band agreements, e.g., cert-issuer or cert-fingerprint.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
