Re: submission by cert verification only

2013-10-09 Thread Dan Langille
On Oct 9, 2013, at 9:26 PM, Viktor Dukhovni wrote: > On Wed, Oct 09, 2013 at 09:21:36PM -0400, Dan Langille wrote: > >>> Don't forget: >>> >>> main.cf: >>> smtpd_tls_fingerprint_digest = sha1 >> >> >> Does that have to be in main.cf? I added it to master.cf. > > Generally, keeping sett

Re: submission by cert verification only

2013-10-09 Thread Viktor Dukhovni
On Wed, Oct 09, 2013 at 09:21:36PM -0400, Dan Langille wrote: > > Don't forget: > > > >main.cf: > > smtpd_tls_fingerprint_digest = sha1 > > > Does that have to be in main.cf? I added it to master.cf. Generally, keeping settings in main.cf is better. Use master.cf only when settings n

Re: submission by cert verification only

2013-10-09 Thread Dan Langille
On Oct 7, 2013, at 11:01 AM, Viktor Dukhovni wrote: > On Mon, Oct 07, 2013 at 09:06:09AM -0400, Dan Langille wrote: > >>> # cat /usr/local/etc/postfix-config/main/relay_clientcerts >>> 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org >>> >>> This looks like md5, and while still

Re: submission by cert verification only

2013-10-07 Thread Viktor Dukhovni
On Mon, Oct 07, 2013 at 09:06:09AM -0400, Dan Langille wrote: > ># cat /usr/local/etc/postfix-config/main/relay_clientcerts > >3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org > > > >This looks like md5, and while still largely resistant to 2nd > >preimage attacks, you should stil

Re: submission by cert verification only

2013-10-07 Thread Dan Langille
On 2013-10-06 23:13, Viktor Dukhovni wrote: On Sun, Oct 06, 2013 at 08:52:06PM -0400, Dan Langille wrote: [ What Noel said, plus see below. ] 10.0.0.1:submission inet n - n - - smtpd -o smtpd_tls_req_ccert=yes Fine. -o smtpd_tls_auth_only=no This seems silly. S

Re: submission by cert verification only

2013-10-07 Thread Dan Langille
On 2013-10-06 22:40, Noel Jones wrote: On 10/6/2013 7:52 PM, Dan Langille wrote: I managed to get this running tonight and I'm looking for sanity checking, in case I'm completely missing something. Thanks. I wish to allow incoming mail from any client with a valid certificate. My master.cf i

Re: submission by cert verification only

2013-10-06 Thread Viktor Dukhovni
On Sun, Oct 06, 2013 at 08:52:06PM -0400, Dan Langille wrote: [ What Noel said, plus see below. ] > 10.0.0.1:submission inet n - n - - smtpd > -o smtpd_tls_req_ccert=yes Fine. > -o smtpd_tls_auth_only=no This seems silly. Since authentication gets them nowher

Re: submission by cert verification only

2013-10-06 Thread Noel Jones
On 10/6/2013 7:52 PM, Dan Langille wrote: > I managed to get this running tonight and I'm looking for sanity checking, in > case I'm completely missing something. Thanks. > > I wish to allow incoming mail from any client with a valid certificate. My > master.cf is: > > 10.0.0.1:submission ine