Hello
Sendmail has a number of TLS certificate validation options described
here: http://www.sendmail.co.uk/sm/open_source/docs/m4/starttls.html#allow_con
VERIFY verification must have succeeded
VERIFY:bits verification must have succeeded and ${cipher_bits} must
be greater than or equal bits.
ENCR:bits ${cipher_bits} must be greater than or equal bits.
CN:name name must match ${cn_subject}
CN ${server_name} must match ${cn_subject}
CS:name name must match ${cert_subject}
CI:name name must match ${cert_issuer}
These can be enabled when Sendmail is acting as a client or as a
server. Furthermore, using the routing table it is possible to define
different settings for different remote hosts (clients or servers).
Looking at the Postfix configuration pages I can see how the
smtp_tls_policy_maps option can be used to enable verification of
remote server certificates When Postfix is the client but there
doesn't seem to be the same level of control over what verification
takes place exactly.
As for verification of client certificates, I can see the relevant
section in TLS_README but it looks like a global option, i.e. it must
be enabled for all clients or not at all.
My questions:
1. Am I correct that the same level of verification control is not
possible in Postfix (perhaps for good reason) or am I overlooking
something? If I'm right what steps does Postfix take exactly to
verify certificates?
2. Is it possible to enable client certification verification for
some clients and not others?
regards,
Rob Maidment
