does 'permit_tls_clientcerts' work with self-signed certificates?

2022-10-04 Thread Michael
hey, i am trying to set up a postfix 3.5.13 server as a destination for multiple null-clients, but am failing with verifying the client's self-signed client certificate. are self-signed certificates prohibited from this kind of verification? TLS_README does'n help me with this issue. greeti

Re: does 'permit_tls_clientcerts' work with self-signed certificates?

2022-10-04 Thread Bill Cole
On 2022-10-04 at 12:00:55 UTC-0400 (Tue, 04 Oct 2022 18:00:55 +0200) Michael is rumored to have said: hey, i am trying to set up a postfix 3.5.13 server as a destination for multiple null-clients, but am failing with verifying the client's self-signed client certificate. are self-signed ce

Re: does 'permit_tls_clientcerts' work with self-signed certificates?

2022-10-04 Thread Viktor Dukhovni
On Tue, Oct 04, 2022 at 06:00:55PM +0200, Michael wrote: > I am trying to set up a postfix 3.5.13 server as a destination for > multiple null-clients, but am failing with verifying the client's > self-signed client certificate. Are self-signed certificates > prohibited from this kind of verificat

Re: does 'permit_tls_clientcerts' work with self-signed certificates?

2022-10-04 Thread Viktor Dukhovni
On Tue, Oct 04, 2022 at 12:27:25PM -0400, Bill Cole wrote: > > are self-signed certificates prohibited from this kind of > > verification? > > Yes, definitionally. "Verification" means auditing the trust chain to > reach a trusted root certificate. Unless you add the self-signed cert to > your

Re: does 'permit_tls_clientcerts' work with self-signed certificates?

2022-10-04 Thread Wietse Venema
Viktor Dukhovni: > > compatibility_level = 3.5 > > The major.minor syntax was introduced with Postfix 3.6, for Postfix 3.5 > use "3". To make forward and reverse migrations easier, the new compatibility_level syntax has been backported in postfix-3.5.11, postfix-3.4.21 and postfix-3.3.18. Distri

compat_level syntax backport (Thanks)

2022-10-04 Thread Viktor Dukhovni
On Tue, Oct 04, 2022 at 02:36:14PM -0400, Wietse Venema wrote: > Viktor Dukhovni: > > > compatibility_level = 3.5 > > > > The major.minor syntax was introduced with Postfix 3.6, for Postfix 3.5 > > use "3". > > To make forward and reverse migrations easier, the new compatibility_level > syntax ha

Re: no shared cipher revisited

2022-10-04 Thread Nick Tait
On 2/10/2022 10:51 pm, Matus UHLAR - fantomas wrote: yes, Let's Encrypt clients generate 4096 keys by default, which is silly because intermediate R3 certificate is only 2048-bit. I configure let's encrypt clients to create 2048 keys. AFAICT Certbot still uses 2048-bit keys by default. Nick

Re: no shared cipher revisited

2022-10-04 Thread Steffen Nurpmeso
Nick Tait wrote in : |On 2/10/2022 10:51 pm, Matus UHLAR - fantomas wrote: |> yes, Let's Encrypt clients generate 4096 keys by default, which is |> silly because intermediate R3 certificate is only 2048-bit. |> |> I configure let's encrypt clients to create 2048 keys. | |AFAICT Certbot st