On Wed, Jan 14, 2015 at 09:26:32PM +0000, Nick Howitt wrote:
> In main.cf I've set:
> smtp_sasl_auth_enable = yes
> smtp_sasl_security_options = noanonymous
> relayhost = [smtp.ntlworld.com]:465
Port 465 is not STARTTLS and is not directly supported by Postfix:
http://www.postfix.org/TLS_README.html#client_smtps
Note the minimal stunnel.conf file in the example does not authenticate
the remote server, so that configuration is subject to man-in-the-middle
attacks.
To authenticate the remote peer with stunnel, even "verify = 2" is
not enough, as it completely ignores the subject name (and altnames)
in the peer's certificate, checking only that the certificate is
issued by a trusted CA. My attempts (some years back) to persuade
the author of stunnel to be more sensible failed.
Therefore, what you need to do is configure a CAfile in which in
addition to the expected trusted issuing root CA, you include a
copy of a leaf certificate with the same subject DN as the remote
peer's current certificate. Then with "verify = 3", stunnel will
verify the peer (until some part of the DN changes).
CA-based authentication of tunnels to peers you don't control is
sadly rather painful with stunnel.
Perhaps some day stunnel will support DANE (and offer a more
useful implementation of verify = 2).
--
Viktor.
