On Wed, Mar 02, 2011 at 09:15:24AM +0100, kapetr wrote:
> Hello,
>
> I HAVE TO apologize me :-)
>
> I had present my solution with stunnel4- and now I see (as wrote by
> <r...@gmx.co.uk> - thanks) it is in
> http://www.postfix.org/TLS_README.html#client_smtps.
Note, however, that stunnel will not by default verify peer certificates, so
additional configuration is required for that. Only stunnel's verification
level 3, where the remote peer certificate is locally installed in a
local CAfile referenced in the stunnel.conf file actually verifies that
you are reaching the right peer server.
Stunnel has no support for peername verification via trusted
CAs. Stunnel's verification level 2 just lulls unsuspecting users into
a false sense of security. It just verifies the certificate trust chain
(essentially pointless), but not the peername. I tried to convince the
author of stunnel that verification level 2 is broken, and should be
modified, ... he was not interested.
--
Viktor.
