Re: requiring TLS on a pool of servers

2013-10-18 Thread Dan Langille
On 2013-10-15 09:48, Dan Langille wrote: On 2013-10-14 20:10, Viktor Dukhovni wrote: On Mon, Oct 14, 2013 at 08:12:01AM -0400, Dan Langille wrote: The master.cf has something like this: 64.147.113.42:5587 inet n - n - - smtpd -o smtp_tls_security_level=encrypt The

Re: requiring TLS on a pool of servers

2013-10-16 Thread Viktor Dukhovni
On Wed, Oct 16, 2013 at 07:52:42PM +0200, Marko Weber | ZBF wrote: > > Accept incoming mail only if these certs are presented: > > > > # cat /usr/local/etc/postfix-config/relay_clientcerts > > 11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:44 a.example.org > > 11:22:33:44:55:66:77:88:99:

Re: requiring TLS on a pool of servers

2013-10-16 Thread Marko Weber | ZBF
Hello, Am 2013-10-14 14:12, schrieb Dan Langille: I have a group of Postfix servers. I want communications between these servers to be TLS and clients must present a known certificate. These servers are also public-facing and accept incoming mail from servers not under my control. I just start

Re: requiring TLS on a pool of servers

2013-10-15 Thread Dan Langille
On 2013-10-14 20:10, Viktor Dukhovni wrote: On Mon, Oct 14, 2013 at 08:12:01AM -0400, Dan Langille wrote: The master.cf has something like this: 64.147.113.42:5587 inet n - n - - smtpd -o smtp_tls_security_level=encrypt The above setting is pointless, drop it. A

Re: requiring TLS on a pool of servers

2013-10-14 Thread Viktor Dukhovni
On Mon, Oct 14, 2013 at 08:12:01AM -0400, Dan Langille wrote: > The master.cf has something like this: > > 64.147.113.42:5587 inet n - n - - smtpd > -o smtp_tls_security_level=encrypt The above setting is pointless, drop it. > -o smtpd_tls_CAfile=/usr/local/etc

requiring TLS on a pool of servers

2013-10-14 Thread Dan Langille
I have a group of Postfix servers. I want communications between these servers to be TLS and clients must present a known certificate. These servers are also public-facing and accept incoming mail from servers not under my control. I just started setting this up and it seems to be working as