On Fri, Jan 07, 2022 at 05:47:55PM -0500, PGNet Dev <pgnet....@gmail.com> wrote:
> > Postfix has no CRL or OCSP support, and none is planned. > > other than reporting the bad result, does the current (bad) config cause any > actual mail delivery breakage? Probably no real harm done. OCSP stapling is just a way to make it more private and more efficient for a web browser to verify that a website's certificate hasn't been revoked, by providing that information in-band, so the browser doesn't have to contact your CA separately. I expect very few SMTP clients actually verify SMTP server certificates(?), so they won't be checking revocation status either, and so it shouldn't matter whether or not OCSP is working as advertised. Even those that do verify the server certificate can contact your CA separately in the absence of OCSP. So nothing should break. Turning off "must staple" is probably the simplest option. You could also have separate certificates for your web server (with must staple) and mail server (without). If you're concerned about the SSLLabs report, don't be. It doesn't penalise for the absence of "must staple". It's only complaining about "must staple" in the absence of stapling being offered. But you might want "must staple" for your website, in case it's compromised, and the attacker turns off OCSP stapling, in the hope that clients won't bother checking revocation status, so they can keep using your certificate after you have revoked it. Having "must staple" would require the clients to check revocation status (via OCSP itself if stapling isn't offered), so they'd find out that you had revoked the compromised certificate. cheers, raf
