On 11/5/21 21:49, Viktor Dukhovni wrote:
Therefore, I would like to see reports of what you find:
[..]
* With AppArmor on or off
[..]
If auditd is installed and running AppArmor logs to audit logs.
So examining these logs might help to check whether AppArmor is blocking
something:
grep
On 1/2/22 17:16, Wietse Venema wrote:
Ken Wright:
On Sat, 2022-01-01 at 18:50 -0500, Wietse Venema wrote:
Ken Wright:
I did a quick Google search, and ran sudo apparmor_status. There
don't appear to be any postfix-related programs listed.
Then that leaves the cron related profiles.
None o
On 3/30/22 18:04, Viktor Dukhovni wrote:
More likely systemd-journald has elected to not write the log entries to disk.
Consider a Linux distribution that does not use systemd, or a recent
version of Postfix that writes its own log files bypassing syslog.
Or simply set in /etc/systemd/journald
On 3/30/22 18:36, Viktor Dukhovni wrote:
On Wed, Mar 30, 2022 at 06:11:33PM +0200, Michael Ströder wrote:
Or simply set in /etc/systemd/journald.conf:
[Journal]
Storage=none
ForwardToSyslog=yes
That does not fully solve the problem, since IIRC rate limits and
performance limitations still
On 3/30/22 20:37, Viktor Dukhovni wrote:
On Wed, Mar 30, 2022 at 07:10:09PM +0200, Emmanuel Fusté wrote:
ForwardToSyslog and other similar journald options activate raw message
forwarding before any journald processing. This is pure socket to socket
forwarding without any processing.
Well, "wi
On 3/30/22 23:09, Nikolaos Milas wrote:
I am a bit confused (not surprisingly, as I am no expert).
Well, Linux distros change all the time...so we get confused all the time...
In my CentOS 7,in /usr/lib/systemd/system/systemd-journald.socket I see:
[Socket]
ListenStream=/run/systemd/journal/
On 4/23/22 20:14, Michael Grimm wrote:
1) Is smtputf8_enable=yes essential in email traffic as of today?
Good question. Is there any other MTA besides postfix supporting SMTPUTF8?
Ciao, Michael.
On 4/27/22 12:27, Jaroslaw Rafa wrote:
Dnia 27.04.2022 o godz. 17:47:06 AndrewHardy pisze:
I’m very interested in what options / solutions (if any) exist that allow
you to use a passwordless approach to authenticating your users against
imaps/pop3/smtps/submission services (tls encrypted of cou
On 4/27/22 14:37, Jahnke-Zumbusch, Dirk wrote:
I’m very interested in what options / solutions (if any) exist that allow
you to use a passwordless approach to authenticating your users against
imaps/pop3/smtps/submission services (tls encrypted of course)
one way to authenticate may be using Ke
On 4/27/22 17:28, lists wrote:
The TOTP built into Linux has a 30 second time limit but most
implementations approve the stale code making it effectively 60
seconds.
>
Hackers have either implemented [..] a man in the middle attack
intercepted the token.
An implementation taking the "one-time"
On 4/27/22 18:36, Viktor Dukhovni wrote:
On 27 Apr 2022, at 12:27 pm, Michael Ströder wrote:
one way to authenticate may be using Kerberos.
Not recommended for roaming users accessing submission service via public
Internet.
Suitability depends on the user base, ... my personal mail
On 4/27/22 18:39, Demi Marie Obenour wrote:
On 4/27/22 12:27, Michael Ströder wrote:
On 4/27/22 14:37, Jahnke-Zumbusch, Dirk wrote:
I’m very interested in what options / solutions (if any) exist that allow
you to use a passwordless approach to authenticating your users against
imaps/pop3/smtps
On 4/27/22 18:50, Antonio Leding wrote:
On 27 Apr 2022, at 9:45, Michael Ströder wrote:
> “On my personal to-do list is to implement a simple X.509-CA for issuing
> short-term client certs, with a CLI tool to directly manipulate
> Thunderbird and Firefox key/cert DB.”
As in you are
On 4/27/22 18:38, Demi Marie Obenour wrote:
On 4/27/22 07:58, Michael Ströder wrote:
Mozilla hunked out all features for PKI client cert enrollment from
Firefox and Thunderbird. So today it's easier to issue client certs to
Outlook users than to Thunderbird users. :-(
Please report a b
On 4/27/22 19:03, Viktor Dukhovni wrote:
On 27 Apr 2022, at 12:45 pm, Michael Ströder wrote:
But my concern is rather that I would not connect my KDC to the
Internet (for now leaving aside approaches like proxy KCM). >>
In general I'm leaning more towards using asymmetric keys for
a
On 4/27/22 20:01, Wietse Venema wrote:
Michael Stroeder:
Either way a compromised CA or a compromise KDC is bad news...
Yes!
And one of my biggest concerns are bad operational practices. That's why
admins should not have to manually deal with crypto key files like
service keytabs or TLS serve
On 4/27/22 21:30, Wietse Venema wrote:
Michael Stroeder:
So even if you cannot afford a HSM you can e.g. use ssh-agent via Unix
domain socket for your SSH-CA to avoid having to grant direct read
access to the SSH-CA's private key to your SSH-CA service. Simple
solutions, which you can isolate a
HI!
I've added DKIM signing with this config snippet:
# DKIM signing
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:/run/opendkim/opendkim.socket
non_smtpd_milters = unix:/run/opendkim/opendkim.socket
That's working fine for me in case of sending simple mails.
But I al
On 1/9/20 5:12 PM, kris_h wrote:
> We distribute the more dynamic tables - e.g. cidr-tables with self-harvested
> current spammer's IPs - actually by simply distributing those files with
> rsync.
> [..]
> I searching for pros/cons for:
postfix supports LDAP lookups out-of-the-box.
Is using LDAP
On 3/29/20 4:26 AM, Linda Pagillo wrote:
> Hi everyone. I hope all of you are staying healthy and safe. I want to
> set up Postfix as a backup MX for a few of my Windows-based mail
> servers. I have never done this before so I have been researching to see
> what I could find. So far, the most compl
On 7/29/20 9:53 AM, Bastian Blank wrote:
> However, please describe how you would implement the requirements of RFC
> 6125 section 6[2]? You can't use SRV records without support for useful
> server authentication.
Full ack.
That's something most people overlook / ignore when naively asking for
On 11/29/20 3:48 PM, Nikolai Lusan wrote:
> Traditionally SMTP systems forced everything to be lower case ... but
> then people like Microsoft started making MTA's that where case
> sensitive for the reciever part of the email address (at the time this
> was not RFC complianat behaviour).
IIRC the
HI!
Is it possible to compile postfix without support for tables based on
Berkeley's libdb statically linked in? Just like building lmdb support
into shared lib
/usr/lib/postfix/postfix-lmdb.so.
I read through README_FILES/DB_README but did not find advice similar to
that using AUXLIBS_LMDB (as d
On 12/10/20 6:55 PM, Wietse Venema wrote:
> Michael Str?der:
>> Is it possible to compile postfix without support for tables based on
>> Berkeley's libdb statically linked in? Just like building lmdb support
>> into shared lib
>> /usr/lib/postfix/postfix-lmdb.so.
>
> To enable/disable build option
On 2/5/21 8:03 PM, Viktor Dukhovni wrote:
> I am not 100% sure that all LDAP lookups would necessarily
> be using lookup keys with case-insensitive matching rules.
This is declared in matching rules of the attribute type description
found in the subschema.
> For example, maps that query accounts
On 2/8/21 2:28 PM, @lbutlr wrote:
> Use a tool like Webmin¹.
IIRC webmin has a long history of security issues.
> It is, in my opinion a very very bad idea,
I don't understand why you recommend something you consider a bad idea.
> For user management, including admin access to hosted
> domains,
HI!
Does anybody here have experience with current usage of SMTPUTF8?
I have a discussion whether that's already used in the wild or not.
Given that e.g. SUSE Linux builds of postfix are currently not linked to
libicu I assume that SMTPUTF8 is currently not widely used.
How about other platforms?
wie...@porcupine.org (Wietse Venema) wrote:
> Michael Str?der:
>> Does anybody here have experience with current usage of SMTPUTF8?
>> I have a discussion whether that's already used in the wild or not.
>>
>> Given that e.g. SUSE Linux builds of postfix are currently not linked to
>> libicu I assum
wie...@porcupine.org (Wietse Venema) wrote:
> Michael Str?der:
>> So I interpret your question it as an answer:
>> SMTPUTF8 is currently not widely used. ;-)
>
> 10 years ago, IPv6 implementation was driven by the concern that
> everyone was going to suffer from unavailable IP addresses.
>
> SMTP
HI!
Looking at [1] it's not clear to me whether it's possible to require MX RRs of
a recipient domain to be DNSSEC signed. Any other configuration option for that?
Ciao, Michael.
[1] http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
smime.p7s
Description: S/MIME Cryptographic Signat
Viktor Dukhovni wrote:
> On Thu, Sep 10, 2015 at 07:44:19PM +0200, Michael Ströder wrote:
>
>> Looking at [1] it's not clear to me whether it's possible to require MX RRs
>> of
>> a recipient domain to be DNSSEC signed. Any other configuration option for
>&
Viktor Dukhovni wrote:
> On Thu, Sep 10, 2015 at 08:39:38PM +0200, Michael Ströder wrote:
>
>> Maybe there should be some additional text for 'dane-only' in [1]?
>> I'm not sure about the correct wording though.
>
> I think it is fine as-is. The "dane
Viktor Dukhovni wrote:
> So, we've managed to hold off on offering SNI support for a decade
> since TLS was integrated into Postfix 2.2. I just wanted to see
> whether anyone still wanted it in Postfix, but perhaps if they
> really did they've moved on to other solutions.
SNI is a prerequisite fo
Sebastian Nielsen wrote:
> The certificate is normally validated against the MX name, not recipient
> domain.
Did you read the referenced I-D before replying?
https://tools.ietf.org/html/draft-friedl-uta-smtp-mta-certs-00#section-4.1.4.1
Ciao, Michael.
> "Michael Ströder"
n detail is not appropriate on this mailing list.
Still I can imagine that SNI support in postfix could be useful for implementing
special TLS usage policies even if it does not scale to millions of certs.
Ciao, Michael.
> -Ursprungligt meddelande- From: Michael Ströder
> Sent: Tu
Wietse Venema wrote:
> Wietse:
>> This session has multiple recipients, in different domains that
>> have the same MX host. Whose SNI [domain] shall be used?
>
> Michael Storz:
> [Examples that do not use SNI]
>
> Nice try, but that did not answer the question.
>
>> On the other side: if you do
Alice Wonder wrote:
> On 12/15/2015 07:40 AM, Michael Storz wrote:
>> Sorry for not writing it explicitly. In the case I described, you use
>> the domain of the recipient address, because this is the only
>> information you can trust (and this domain must be included in the SAN).
>> Since you have
s health-check would be customizable.
Example: When a fresh OpenLDAP replica during initialization is not fully
functional yet the contextCSN attribute in the root entry of the database is not
present. Would be nice to have LDAP map parameters to define a health-check for
that.
Ciao, Michael.
Kiss Gábor wrote:
>>> My colleagues need authenticated channel to submit mails when traveling.
>>> So disabling sasl is not an option.
>>
>> read again i just say disalbe it on port 25
>>
>> and convense users to use submission port 587, or 465 as users se fits
>
> Can you guarantee that hotel fir
Christian Rößner wrote:
> I use OpenLDAP with Postfix. Today I tried to make OpenLDAP more secure by
> requiring TLSv1.2. At this point Postfix stopped working.
I set TLSProtocolMin 3.3 (requires TLS 1.2) in my slapd.conf and ldap table of
postfix 2.11.7 still works (both running on openSUSE Facto
HI!
Can I define a special CA cert bundle in smtp_tls_policy_maps for a certain
recipient domain? Which keyword(s) to use?
For example I have a line like this in the map for recipient domain
'example.com':
example.com verify protocols=TLSv1 ciphers=high
Can I add to this line something like "C
li...@rhsoft.net wrote:
>
> Am 25.10.2014 um 15:29 schrieb Michael Ströder:
>> Can I define a special CA cert bundle in smtp_tls_policy_maps for a certain
>> recipient domain? Which keyword(s) to use?
>>
>> For example I have a line like this in the map for re
Wietse Venema wrote:
> Michael Str?der:
>> Quote from http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
>>
>> "The lookup result is a security level, followed by an optional list of
>> whitespace and/or comma separated name=value attributes that override related
>> main.cf settings."
>>
>
Wietse Venema wrote:
> Michael Str?der:
>> Well, I have read the docs (see quote from postfix web site above). But the
>> statement in the docs is pretty broad/unprecise:
>>
>> "followed by an optional list of whitespace and/or comma separated name=value
>> attributes that override related main.cf
Viktor Dukhovni wrote:
> Note, when you "pin" the issuer if a domain's certificate chain
> you have the luxury of more time between updates, but eventually
> the site will obtain a certificate from some other CA or a new
> issuer key from the same CA.
Yupp. I'm aware of that. For those sites I'm
Peter wrote:
> It's pointless for MX hosts because they don't validate the certificate
> anyways.
Which has to be changed.
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
li...@rhsoft.net wrote:
> until now nobody was able to tell me any benefit of multiple server names for
> a mailserver instead 1 hostname, 1 certificate and 1 PTR matching the A-record
> and HELO name with 100, 200, 300, 500 MX records in different domains pointing
> there
https://tools.ietf.org/h
lst_ho...@kwsoft.de wrote
> Zitat von Michael Ströder :
>
> > Peter wrote:
> >> It's pointless for MX hosts because they don't validate the certificate
> >> anyways.
> >
> > Which has to be changed.
>
> http://www.postfix.org/TLS_README.h
li...@rhsoft.net wrote:
>
> Am 07.11.2014 um 09:36 schrieb Michael Ströder:
>> li...@rhsoft.net wrote:
>>> until now nobody was able to tell me any benefit of multiple server names
>>> for
>>> a mailserver instead 1 hostname, 1 certificate and 1 PTR match
Viktor Dukhovni wrote:
> On Fri, Nov 07, 2014 at 09:36:12AM +0100, Michael Str?der wrote:
>
>> li...@rhsoft.net wrote:
>>> until now nobody was able to tell me any benefit of multiple server names
>>> for
>>> a mailserver instead 1 hostname, 1 certificate and 1 PTR matching the
>>> A-record
>>>
Viktor Dukhovni wrote:
> The rationale for the DANE work is in:
>
> http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-13#section-1.3
I've already read/analyzed all DANE related RFCs and almost all drafts in
detail. Also some IETF presentation slides.
As already mentioned on the IETF
li...@rhsoft.net wrote:
> Am 07.11.2014 um 18:22 schrieb Michael Ströder:
>> Viktor Dukhovni wrote:
>>> The rationale for the DANE work is in:
>>>
>>>
>>> http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-13#section-1.3
>>
>
li...@rhsoft.net wrote:
> Am 07.11.2014 um 19:19 schrieb Michael Ströder:
>> So ask yourself:
>> If everybody uses the same sort of crappy registration interfaces for their
>> DNS entries while simply auto-signing DNS zone entries. Is there a real
>> chance
>&g
li...@rhsoft.net wrote:
> but LDAP is a very limited database missing things like joins, views and a lot
> of other things you can easily do with a SQL query
While you're right you don't recommend using joins for productive use, do you?
> - don't blame the messenger
> and just setup a wrapper fet
li...@rhsoft.net wrote:
> Am 10.12.2014 um 20:17 schrieb Peter Volkov:
>> We use smtplib in python to send mail through postfix. As I saw from
>> tcpdump smtplib does not set "Date:" field, so I suspect postfix does
>> that. Now, as I see postfix sets date as:
>> Date: Wed, 10 Dec 2014 05:40:50 -08
ghalvor...@hushmail.com wrote:
> A HOWTO that has been around for a few months is still nice, especially if
> the author maintains it so that the flaws and errors are corrected as
> people point them out. I am really surprised at how no one really adopts
> the crowd-source wiki approach. It seems
HI!
Are there any plans to support encrypted connections with tcp_table(5) maps?
Something like a stcp: map?
Of course I can use stunnel -c but it would be nice if it's possible without
another moving part.
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
wie...@porcupine.org (Wietse Venema) wrote:
> Viktor Dukhovni:
>> On Sat, Jan 10, 2015 at 08:22:17PM +0100, Michael Str?der wrote:
>>
>>> Are there any plans to support encrypted connections with tcp_table(5) maps?
>>> Something like a stcp: map?
>>>
>>> Of course I can use stunnel -c but it would
DTNX Postmaster wrote:
> OpenSSH is also an
> option, the latest release even supports Unix domain socket forwarding.
Uurrgs! I definitely don't want to give SSH access!
Yes, I could start another restricted sshd but that's too complex given that I
can very easily implement SSL/TLS support at th
James,
that sounds like you should write an I-D "DMARC considered harmful". ;-)
Ciao, Michael.
James B. Byrne wrote:
>
> On Sun, January 18, 2015 20:14, John wrote:
>> I am not sure about implementing DMARC on my servers.
>> However, is it worth adding a DMARC record to the DNS? What, if
>> any
wie...@porcupine.org (Wietse Venema) wrote:
> m...@ruggedinbox.com:
>> and the header is still there.
>
> By default, Postfix REMOVES Return-Path headers from email messages.
> The default setting is:
>
> message_drop_headers = bcc, content-length, resent-bcc, return-path
From http://www.pos
rogt3...@proinbox.com wrote:
> Perhaps you might want to hang out with a email crowd. Over the years,
> been on the exim list? Ever had the pleasure of dealing with
> [..snipped..]
IMO it's not fair to mention another person who cannot answer.
Please, everybody should calm down, step back for n
Viktor Dukhovni wrote:
> On Fri, Jan 30, 2015 at 05:27:59AM +, srach wrote:
>
?1. Know for sure that the relay mail comes from the #1 server.? A added
header can be made fake so I look for a better way that is not possible to
fake.
>>
>>> Restrict access to the non-default port
LuKreme wrote:
> I’d assume there would be something in the headers to indicate the message
> was encrypted. Probably some sort of milter running on your submission port
> would be able to check this?
I'd implement a milter or similar which looks at the Content-Type header.
Typically it looks lik
Erwan David wrote:
> Le 16/02/2015 14:09, Michael Ströder a écrit :
>> LuKreme wrote:
>>> I’d assume there would be something in the headers to indicate the message
>>> was encrypted. Probably some sort of milter running on your submission port
>>> would be ab
aleph2...@gmx.com wrote:
> Hehe. Yeah, *I'M* the problem. Hint: take a read through some of your
> posting history here. Look for patterns. Oops, I mean PATTERNS.
The pattern is that some people are able to read the very extensive postfix
docs, get their even complex setups running, and never
Sebastian Nielsen wrote:
> I would suggest using Ciphermail / Djigzo for this.
> But I think you are solving your problem in a very incorrect way. Since the
> hosting company do have access to the VM, they could easy listen on the memory
> before the mail is encrypted, just after it has been decryp
Viktor Dukhovni wrote:
> On Thu, Aug 06, 2015 at 09:13:53AM +0200, Sven Schwedas wrote:
>> Why medium and not high, while we're at it? What clients would have
>> problems with it?
>
> Because cleartext is not stronger than medium. If you make TLS
> impossible for peers that only support medium, t
Viktor Dukhovni wrote:
> On Thu, Aug 06, 2015 at 10:25:04AM +0200, Michael Str?der wrote:
>
>>> On Thu, Aug 06, 2015 at 09:13:53AM +0200, Sven Schwedas wrote:
Why medium and not high, while we're at it? What clients would have
problems with it?
>>>
>>> Because cleartext is not stronger t
Frederic Van Espen wrote:
> When receiving a mail we lookup in ldap where the mail needs to go.
> This works fine for a simple unsecured ldap connection, but when I try to
> enable
> start_tls I consistently receive this error when receiving a mail:
> warning: dict_ldap_set_tls_options: Unable to
Ron Wheeler wrote:
> The MX record has to point to an A or CNAME that maps to the actual machine
> where your main service (Postfix) runs.
IIRC the MX should not point to a CNAME as target host to make proper loop
detection work. Or am I wrong?
See https://tools.ietf.org/html/rfc5321#section-5.1:
Josh Good wrote:
> On 2017 Feb 11, 19:18, li...@lazygranch.com wrote:
>> So technically integrity is assured from server to server, but not between
>> clients
>> and server.
>
> That is correct. DKIM is for MTA-to-MTA integrity.
There are no widely used MUA implementations making use of DKIM but
Josh Good wrote:
> On 2017 Feb 12, 16:17, Michael Ströder wrote:
>> Josh Good wrote:
>>> On 2017 Feb 11, 19:18, li...@lazygranch.com wrote:
>>>> So technically integrity is assured from server to server, but not between
>>>> clients
>>>> and s
Wietse Venema wrote:
> Last month it was 20 years ago that I started writing Postfix code.
Wietse,
don't remember the exact date but probably a couple of months after your first
release
I've migrated a company's mail servers to postfix. postfix was chosen after
reading some
of your comments som
Paolo Barbato wrote:
> postmap: warning: dict_ldap_lookup:
> /opt/trend/imss/OpenLDAP/etc/openldap/myBad.cf:
> Search base 'dc=cgprouter' not found: 32: No such object
As Brett already said: Most likely this configuration line is wrong:
ldaprfx_search_base = dc=cgprouter
Make sure to put the ri
john wrote:
> 1. block all email with attachments - a little too drastic for some as there
> are legit
> reasons for attachments.
> block all email that is in any format that can hide executable code.
IMO this won't work.
> 2. rename attachments so that they will not/cannot be executed/
Joshua Bonneville wrote:
> I am attempting to build a postfix mta server to act as a mail router based
> on ldap
> queries to route users to one of two mail environments we have that are on
> the same
> domain, but different providers. I have been unsuccessful in finding a proper
> way of
> sett
Marat Khalili wrote:
> On 15/08/17 15:55, Tom Browder wrote:
>> (2) use TLS client certs for the authentication of the relay clients, and
>
> I see problem with this part. Nothing in docs says postfix uses or at least
> properly
> traces and logs client CNs from presented certificates. Therefore
Tom Browder wrote:
> On Tue, Aug 15, 2017 at 10:48 Marat Khalili wrote:
>
>> I think your thanks should certainly go to Michael!
>
> You are correct!
>
> Many thanks, Michael! I hope to use that TLS capability soon.
You're welcome.
But credits go to Wietse, Viktor, Lutz, et al who have implem
martin f krafft wrote:
also sprach Viktor Dukhovni [2017-09-18 00:31
+0200]:
So your certral system generates the keys, and obtains the LE
certificates on behalf of the far-flung hosts? And then pushes
these keys to the hosts over an SSH tunnel?
Is that only for the initial key issuance? An
martin f krafft wrote:
In fact, there are three options right now:
a/ collect and deploy the fingerprints, as you say
b/ use a self-signed certificate with life-time 99 years just for
this purpose
c/ use public key fingerprints instead of the cert fingerprints
I think (a) is really j
On 2/14/19 6:30 PM, Jan P. Kessler wrote:
>>> Does anyone have any suggestions for a tool for filtering out click
>>> trackers from links in email bodies and rewriting the links without
>>> the click tracking?
>> Anything that does this will also break DKIM, if the email has it
>> (which many do).
HI!
Could someone please have a look at this RPM patch:
https://build.opensuse.org/package/view_file/server:mail/postfix/postfix-ssl-release-buffers.patch?expand=1
I'm currently trying to update the RPM to 3.4.4 and I'd like to know
whether the above makes sense or whether it might even cause is
On 4/12/19 5:11 AM, luckydog xf wrote:
As listed http://ftp.uma.es/mirror/postfix/doc/LDAP_README.html and
mentioned an objeclass
objectclass: ldapgroup
-
Which Schema contains this objectclass? It's pretty hard to google it,
all are related with bais knowledge of LDAP if I use k
On 4/18/19 9:45 PM, Viktor Dukhovni wrote:
On Apr 18, 2019, at 12:01 PM, Wietse Venema wrote:
Eventually there will be a postfix--nonprod release that combines
all the code (jay) and none of the guarantees (bleh).
I am not convinced that stuffing arbitrary PKI identities into a
SASL identi
On 4/19/19 7:10 PM, Wietse Venema wrote:
Michael Str?der:
On 4/18/19 9:45 PM, Viktor Dukhovni wrote:
On Apr 18, 2019, at 12:01 PM, Wietse Venema wrote:
Eventually there will be a postfix--nonprod release that combines
all the code (jay) and none of the guarantees (bleh).
I am not convinc
On 4/20/19 1:09 AM, Viktor Dukhovni wrote:
On Apr 19, 2019, at 6:42 PM, Michael Ströder wrote:
If a cert's key get compromised (e.g. laptop lost/stolen) I expect
the user's cert to be revoked and a new cert to be issued for the
*same* subject name. How to deal with that without
87 matches
Mail list logo
