>
>
> Is there any security benefits to creating this smart host as a separate
> SMTP server? Are there any "best practices" for this kind of situation?
>
It depends on your network structure and how much do you trust your new
clients.
If your client resides directly at your local network (eithe
On Tue, Mar 06, 2012 at 06:19:59PM +0100, Robert Dahlem wrote:
> Default strategy for "verify": ask DNS about MX, then check if the
> servers CN matches. Check if the trust chain is valid.
Yes, though there is no promise of whether the name or the trust
chain is checked first. Both need to be acc
On 06.03.2012 16:57, Viktor Dukhovni wrote:
>> It's just that its CN does not match the server name, but that
>> should be ok when using "verify" (and not when using "secure").
> Considering that Postfix documentation does not say this, and
> clearly states the opposite, you're just overloading y
On Tue, Mar 06, 2012 at 11:52:54AM +0100, Robert Dahlem wrote:
> /etc/postfix/transport:
> test1.prv smtp:[s2.mydomain.de]
> /etc/postfix/tls_policy:
> [s2.mydomain.de]verify
> ==
> s2.mydomain.de[192.168.1.1]:25: Trus
On 05.03.2012 19:39, Wietse Venema wrote:
>> 366AE26E2B: to=, relay=s2.mydomain.de[192.168.1.1]:25,
>> ..., dsn=4.7.5, status=deferred (Server certificate not verified)
>> ==
>>
>> So my understanding of the difference between "verify
On Mon, Mar 05, 2012 at 07:26:18PM +0100, Robert Dahlem wrote:
> I'm on Postfix 2.5.6 and implementing TLS. I'm having difficulties to
> understand the difference between "verify" and "secure".
These are documented in TLS_README.html
http://www.postfix.org/TLS_README.html#client_tls_veri
Robert Dahlem:
> 366AE26E2B: to=, relay=s2.mydomain.de[192.168.1.1]:25,
> ..., dsn=4.7.5, status=deferred (Server certificate not verified)
> ==
>
> So my understanding of the difference between "verify" and "secure"
> seems to be wro
