On Wed, Oct 16, 2013 at 07:52:42PM +0200, Marko Weber | ZBF wrote:
> > Accept incoming mail only if these certs are presented:
> >
> > # cat /usr/local/etc/postfix-config/relay_clientcerts
> > 11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:44 a.example.org
> > 11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:55 b.example.org
> > 11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:66 c.example.org
>
> I think "secure" can also check DNS, "encrypt" does not check if DNS
> is wrong. When you set in your /etc/hosts:
>
> 111.111.111.111 A.example.org
> 222.222.222.222 B.example.org
> 212.212.212.212 C.example.org
>
> then "secure" can check before sending the mail if the DNS is right
> or cought by someone. Otherwise, the mail goes to the destination
> that A.exmample.org or others point.
No. The "verify" and "secure" levels are for the SMTP client, this
thread is about server-side access control.
The DNS security difference is in the safety of the "hostname"
pattern with respect to MITM MX records. Secure verification of
a server certificate requires that the client use a trusted source
for the name of the server to check against the certificate.
--
Viktor.
