On Wed, Jun 14, 2017 at 09:12:20PM +0000, Osama Al-Hassani wrote:
> When verifying server certificates on outbound connections, it seems we
> are unable verify the IP addresses part of the SANs field. We are able to
> verify IPs in CNs.
Email is sent to addresses of the form <local-part@domain-part>,
where the "domain-part" is DNS domain, not an IP address. The SMTP
server is either an MX host, or the domain itself, in the absence
of MX records. Bare IP addresses are not valid in MX records.
Most mail systems will not accept email to addresses of the form
<local-part@[NNN.NNN.NNN.NNN]> (ip-addres domain-literals).
> What is the reasoning behind this behaviour?
No useful security results from verifying IP addresses in certificates
for TLS connections to DNS hosts. Certificates with IP addresses
are for IPsec, not for TLS with SMTP.
Postfix supports DNS subject alternative names:
https://www.postfix.org/TLS_README.html#client_tls_secure
https://www.postfix.org/TLS_README.html#client_tls_dane
--
Viktor.
