On Thu, Oct 24, 2013 at 07:59:46AM +0200, Tobias Reckhard wrote:
> > Support for public key fingerprints was added in Postfix 2.9, ...
>
> This is stated at the beginning of the section dealing with
> fingerprints. Further down, where the actual openssl commands are noted,
> there is no such not
Viktor Dukhovni wrote the following on 23.10.2013 16:23:
> If your Postfix version is 2.9.0--2.9.5 DO NOT USE public key
> fingerprints, or upgrade to 2.9.6 or later.
That wasn't the problem, the documentation is quite clear in this
regard. I mistakenly used the public key instructions for a pre-2
On Wed, Oct 23, 2013 at 09:39:36AM +0200, Tobias Reckhard wrote:
> > with instructions on how to extract public key digests from X.509
> > certs also at:
> >
> > http://www.postfix.org/postconf.5.html#smtp_tls_fingerprint_digest
>
> Those instructions had me confused a bit, I think I now see
On Tue, Oct 22, 2013 at 10:58:46AM -0400, Wietse Venema wrote:
> > Fingerprinting the leaf certificate will work until the next time
> > they deploy a new leaf certificate without notifying you in advance.
> > This is because fingerprint security does not rely on a valid chain
> > of signatures fr
Viktor Dukhovni:
> On Tue, Oct 22, 2013 at 11:07:07AM +0200, Tobias Reckhard wrote:
>
> > Maybe fingerprinting would work, though. I'll give it a shot on a test
> > system. Thanks for the suggestion.
>
> Fingerprinting the leaf certificate will work until the next time
> they deploy a new leaf ce
On Tue, Oct 22, 2013 at 11:01:22AM +0200, Tobias Reckhard wrote:
> > The most recent patch levels
> > of Postfix 2.7, 2.8, 2.9 and 2.10 have support for SHA256 turned for
> > SSL/TLS.
>
> postfix 2.8.5 is available as a backport for Ubuntu 10.04 LTS. I've
> suggested upgrading to that, since it
On Tue, Oct 22, 2013 at 11:07:07AM +0200, Tobias Reckhard wrote:
> Maybe fingerprinting would work, though. I'll give it a shot on a test
> system. Thanks for the suggestion.
Fingerprinting the leaf certificate will work until the next time
they deploy a new leaf certificate without notifying you
Viktor Dukhovni wrote the following on 21.10.2013 17:21:
> On Mon, Oct 21, 2013 at 10:07:13AM -0500, Noel Jones wrote:
>> Looks as if they use a private root CA. Probably the easiest fix is
>> to use "fingerprint" verification. See:
>> http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
>
Viktor Dukhovni wrote the following on 21.10.2013 17:30:
> This organization uses SHA256 signatures for their certificates, even
> though these are not widely supported.
Ah, OK, thanks for the explanation.
> The most recent patch levels
> of Postfix 2.7, 2.8, 2.9 and 2.10 have support for SHA256
On Mon, Oct 21, 2013 at 03:30:46PM +, Viktor Dukhovni wrote:
> On Mon, Oct 21, 2013 at 02:55:22PM +0200, Tobias Reckhard wrote:
>
> > Oct 21 08:43:58 postfix/smtp[5991]: CA certificate
> > verification failed for mx10.unicredit.eu[62.122.80.93]:25:
> > num=7:certificate signature failure
>
On Mon, Oct 21, 2013 at 10:07:13AM -0500, Noel Jones wrote:
> > Oct 21 08:43:58 postfix/smtp[5991]: CA certificate
> > verification failed for mx10.unicredit.eu[62.122.80.93]:25:
> > num=7:certificate signature failure
>
> Looks as if they use a private root CA. Probably the easiest fix is
> to
On Mon, Oct 21, 2013 at 02:55:22PM +0200, Tobias Reckhard wrote:
> Oct 21 08:43:58 postfix/smtp[5991]: CA certificate
> verification failed for mx10.unicredit.eu[62.122.80.93]:25:
> num=7:certificate signature failure
This organization uses SHA256 signatures for their certificates, even
though t
On 10/21/2013 7:55 AM, Tobias Reckhard wrote:
> Hello
>
> In configuring a postfix 2.7.0 (on Ubuntu 10.04 LTS) for mandatory TLS
> to a couple of domains, I'm running into the following oddity when
> sending e-mail to the UniCredit servers:
>
> Oct 21 08:43:58 postfix/smtp[5991]: CA certificate
On Tue, Dec 20, 2011 at 10:24:04AM +0100, lst_ho...@kwsoft.de wrote:
> As far as I understand you have to list the complete chain but only
> your sub-CA to get it working.
This is not the case:
http://www.postfix.org/TLS_README.html#server_access
Allow the remote SMTP client request
Am 20.12.2011 14:30, schrieb lst_ho...@kwsoft.de:
Hi,
Any idea how to allow all certificates issued by specific Sub-CAs,
without trusting everyone?
>>>
>>> As far as i understand you have to list the complete chain but only your
>>> sub-CA to get it working. So create a smtpd_tls_CAfile
Zitat von Bernhard Schmidt :
Am 20.12.2011 10:24, schrieb lst_ho...@kwsoft.de:
Hello,
Any idea how to allow all certificates issued by specific Sub-CAs,
without trusting everyone?
As far as i understand you have to list the complete chain but only your
sub-CA to get it working. So create a
Am 20.12.2011 10:24, schrieb lst_ho...@kwsoft.de:
Hello,
>> Any idea how to allow all certificates issued by specific Sub-CAs,
>> without trusting everyone?
>
> As far as i understand you have to list the complete chain but only your
> sub-CA to get it working. So create a smtpd_tls_CAfile with
Zitat von Bernhard Schmidt :
Hi,
I'm having an issue I can't quite understand at the moment.
We are part of a larger PKI infrastructure run by the german NREN,
which is in the end rooted at the Deutsche Telekom.
- Deutsche Telekom Root CA 2
- DFN-Verein PCA Global - G01
- LRZ-CA - G0
On 11-Jan-2010, at 09:27, Dennis Putnam wrote:
> I am quite familiar with the arguments but again it is not my choice. If you
> want, I can give you the number of our corporate lawyers and you can try to
> convince them. Perhaps you will have better luck than me. :-)
I will be happy to email th
On Mon, Jan 11, 2010 at 11:36:42AM -0600, Noel Jones wrote:
> According to the example in
> http://www.postfix.org/TLS_README.html#client_tls_policy
> the policy table should contain
>
> somedomain.tld encrypt
>
> To include subdomains of somedomain.tld also include
>
> .somedomain.tld
On 1/11/2010 11:16 AM, Dennis Putnam wrote:
Hi Noel,
Thanks. I thing you pointed me in the right direction. Am I correct that
the per_site table is different under 2.5.5 than pre 2.3? I had trouble
getting that to work on the old server so I didn't change it for the
migration. What I have is:
.
Hi Noel,
Thanks. I thing you pointed me in the right direction. Am I correct that the
per_site table is different under 2.5.5 than pre 2.3? I had trouble getting
that to work on the old server so I didn't change it for the migration. What I
have is:
.somedomain.com MUST
I think it now can be
On 1/11/2010 10:38 AM, Dennis Putnam wrote:
Upon further investigation, apparently mail is not moving. There seems
to be 2 domains associated with this site but I was only asked to
enforce TLS on one of them. That is why it appeared to be working.
Getting back to Chris' comments, I think setting
On Mon, Jan 11, 2010 at 11:53:35AM -0500, Noah Sheppard wrote:
[attribution to Chris is missing]
> > >> On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote:
> > >>> I want to enforce TLS but I don't care what certificate the
> > >>> receiver uses. Thanks.
> > >> Apart from the fact that enforci
> >> On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote:
> >>> I want to enforce TLS but I don't care what certificate the receiver
> >>> uses. Thanks.
> >> Apart from the fact that enforcing TLS with SMTP is usually a bad idea,
> >> [..]
Why is TLS w/ SMTP a bad idea?
--
Noah Sheppard
Assis
Upon further investigation, apparently mail is not moving. There seems to be 2
domains associated with this site but I was only asked to enforce TLS on one of
them. That is why it appeared to be working. Getting back to Chris' comments, I
think setting the security level to 'encrypt' forces ever
Hi Chris,
Thanks for the reply. Please see embedded comments.
On Jan 11, 2010, at 11:11 AM, Christoph Anton Mitterer wrote:
> On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote:
>> I want to enforce TLS but I don't care what certificate the receiver
>> uses. Thanks.
> Apart from the fact tha
On Mon, 2010-01-11 at 11:04 -0500, Dennis Putnam wrote:
> I want to enforce TLS but I don't care what certificate the receiver
> uses. Thanks.
Apart from the fact that enforcing TLS with SMTP is usually a bad idea,
setting the
smtp_tls_security_level = encrypt
should usually do what you mean, enfor
On Fri, 6 Feb 2009 12:15:26 -0500, Victor Duchovni
wrote:
> On Fri, Feb 06, 2009 at 07:13:17PM +0200, Tolga wrote:
>
>> > Who can't use the certificate?
>>
>> I, when I try with Thunderbird from another location.
>
> Well, it is Thunderbird that needs to extend its list of trusted
> CAs not Po
Victor Duchovni yazmış:
On Fri, Feb 06, 2009 at 07:13:17PM +0200, Tolga wrote:
Who can't use the certificate?
I, when I try with Thunderbird from another location.
Well, it is Thunderbird that needs to extend its list of trusted
CAs not Postfix. No amount of tweaking the Pos
On Fri, Feb 06, 2009 at 07:13:17PM +0200, Tolga wrote:
> > Who can't use the certificate?
>
> I, when I try with Thunderbird from another location.
Well, it is Thunderbird that needs to extend its list of trusted
CAs not Postfix. No amount of tweaking the Postfix server will
make Thunderbird tru
Forgot to CC it.
Original Message
Subject: Re: TLS certificate
Date: Fri, 06 Feb 2009 19:11:43 +0200
From: Tolga
To: Patrick Ben Koetter
On Fri, 6 Feb 2009 15:58:29 +0100, Patrick Ben Koetter
wrote:
> * Tolga :
>>> Here's your error: "unab
On Fri, Feb 06, 2009 at 11:28:17AM +0100, Patrick Ben Koetter wrote:
> Here's your error: "unable to verify the first certificate". Did you add your
> CA certificate to your CA certificate store ca-bundles.crt (in your case)?
In what sense is that an "error"? He's got a private-label CA cert, why
* Tolga :
>> Here's your error: "unable to verify the first certificate". Did you add your
>> CA certificate to your CA certificate store ca-bundles.crt (in your case)?
>>
>> p...@rick
>>
> I just did that, restarted postfix, and when I did an openssl s_client
> -starttls smtp -CAfile /etc/ssl
Patrick Ben Koetter yazmış:
* Tolga :
Please show evidence of such a session.
to...@ozses:~$ openssl s_client -starttls smtp -CApath /etc/ssl/private
-connect localhost:25
CONNECTED(0003)
depth=0
/C=TR/ST=Marmara/L=Istanbul/O=ozses.net/OU=ozses.net/CN=mail.ozses.net/emailaddre
* Tolga :
> > Please show evidence of such a session.
>
> to...@ozses:~$ openssl s_client -starttls smtp -CApath /etc/ssl/private
> -connect localhost:25
> CONNECTED(0003)
> depth=0
> /C=TR/ST=Marmara/L=Istanbul/O=ozses.net/OU=ozses.net/CN=mail.ozses.net/emailaddress=to...@ozses.net
> verify
On Thu, Feb 05, 2009 at 07:43:38PM +0100, Patrick Ben Koetter wrote:
> * Tolga :
> > On Thu, Feb 05, 2009 at 04:25:50PM +0100, Patrick Ben Koetter wrote:
> > > * Tolga :
> > > > I am reading The Book of Postfix, I applied the steps CA.pl -newca,
> > > > openssl
> > > > req -new -nodes -keyout priv
On Thu, Feb 05, 2009 at 07:43:38PM +0100, Patrick Ben Koetter wrote:
> * Tolga :
> > On Thu, Feb 05, 2009 at 04:25:50PM +0100, Patrick Ben Koetter wrote:
> > > * Tolga :
> > > > I am reading The Book of Postfix, I applied the steps CA.pl -newca,
> > > > openssl
> > > > req -new -nodes -keyout priv
* Tolga :
> On Thu, Feb 05, 2009 at 04:25:50PM +0100, Patrick Ben Koetter wrote:
> > * Tolga :
> > > I am reading The Book of Postfix, I applied the steps CA.pl -newca,
> > > openssl
> > > req -new -nodes -keyout privatekey.pem -out privatekey.pem -days 1825 and
> > > openssl ca -policy policy_any
On Thu, Feb 05, 2009 at 04:25:50PM +0100, Patrick Ben Koetter wrote:
> * Tolga :
> > I am reading The Book of Postfix, I applied the steps CA.pl -newca, openssl
> > req -new -nodes -keyout privatekey.pem -out privatekey.pem -days 1825 and
> > openssl ca -policy policy_anything -out publiccert.pem -
* Tolga :
> I am reading The Book of Postfix, I applied the steps CA.pl -newca, openssl
> req -new -nodes -keyout privatekey.pem -out privatekey.pem -days 1825 and
> openssl ca -policy policy_anything -out publiccert.pem -infiles
> privatekey.pem , copied the key and cert under /etc/ssl/private and
41 matches
Mail list logo
