Am 20.12.2011 14:30, schrieb lst_ho...@kwsoft.de: Hi,
>>>> Any idea how to allow all certificates issued by specific Sub-CAs, >>>> without trusting everyone? >>> >>> As far as i understand you have to list the complete chain but only your >>> sub-CA to get it working. So create a smtpd_tls_CAfile with the Telekom >>> root and your sub-CA and nothing else. This would allow relaying for any >>> certificate your sub-CA or the Telekom root CA has issued, but not for >>> certificates issued by any sub-CA of the Telekom beside yours. Be aware >>> that you should not do this on a public facing port 25. >> >> Unfortunately no-go, the full chain needs to be in smtpd_tls_CApath, >> otherwise I get the "unable to get issuer certificate". And doing that >> would blow the purpose, since we would be an open relay for everyone >> having a DTAG certificate. > > To my knowledge you would *only* be an open relay for certificates > issued directly by the Telekom root-CA and for certificates issued by > your sub-CA, not for certificates issued by other Telekom sub-CAs not > included in the file. Not sure if the Telekom root-CA is used to issue > certificates anyway. > Viktor will correct me if i'm wrong ;-) I thought so, too. But apparently it is enough that the client supplies the rest of the certificate chain. I tested that by only allowing the Telekom Root-CA and having the client (openssl s_client) send the whole chain including the intermediate CAs ... bam, Trusted. Bernhard
