On Thu, Sep 16, 2010 at 03:45:17PM -0500, Vernon A. Fort wrote:
> > Anonymous DH ciphers don't use CA certs. The conversation is encrypted,
> > but unathenticated. Of course "Trusted" is also encrypted and not
> > authenticated, but a certificate is sent and mostly ignored. What you
> > learn is that if you wanted to, you could use a "secure" policy with
> > a suitable set of "match" patterns.
>
> Ok - so the Trusted/Untrusted/Anonymous 'connections' are for the CA
> root - understood. By the way - did the TLS_README patch you posted
> (http://www.mail-archive.com/postfix-users@postfix.org/msg15394.html)
> every make it into the TLS_README file. I'm running the 2.8-20100913
> version (will upgrade to 916) but this patch/info in NOT in the
> TLS_README.
Yes, it looks like that Patch did not make it in.
> Most of what i read (so far) insists that you stay away from the
> "secure" policies, assuming your referring to the
> smtp[d]_tls_security_level.
I don't read the documentation that way. It does make it clear that for
a public MX host, anything stronger than "may" is impractical on
port 25. Also for an internet-facing SMTP client that delivers mail
to the MX hosts of any and all domains, likewise, "may" is the right
default policy.
Beyond that, you can use "secure" channel peer verification by mutual
agreement with specific destination sites, and that policy is best
applied by the client.
--
Viktor.
