On Mon, Jan 11, 2010 at 11:36:42AM -0600, Noel Jones wrote:
> According to the example in
> http://www.postfix.org/TLS_README.html#client_tls_policy
> the policy table should contain
>
> somedomain.tld encrypt
>
> To include subdomains of somedomain.tld also include
>
> .somedomain.tld encrypt
And only when one's transport table or relayhost specifies a
nexthop of the form:
[gateway.example.com]
does the TLS policy table need an entry of the same form:
[gateway.example.com] encrypt|secure|fingerprint ...
For "[gateway]" nexthops there is no real difference between "secure"
and "verify", both test for the same nexthop address, unless "match"
values are specified explicitly.
In retrospect, it an interface design error to provide both levels,
just one would have been enough, with backwards compatibility for
tls_per_site provided via different "match" values for "verify" not a
different security level. Both, verify certificates using a slightly
different default set of match values. :-( The "damage" is fairly minor...
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
