Michelle Konzack writes:
Hello Sam Varshavchik,Am 2011-05-01 15:37:54, hacktest Du folgendes herunter: > You have a /SECURITY entry in esmtproutes for this host. Thanks, already seen, > This is a > Courier-specific feature that requires the destination mail server > to present a certificate that's signed by a separate certificate > authority. It's used, essentially, to set up a VPN-like SMTP channel > over the Internet. See INSTALL. Does it not accept self-signed certificates?
No. You need to create your own certificate authority, and sign the certificate using your certificate authority. In courierd, put your certificate authority's signing cert in the TLS_TRUSTSECURITYCERTS.
When a hostname has /SECURITY=STARTTLS set in esmtproutes, that host must present a certificate that's signed by the authority given in TLS_TRUSTSECURITYCERTS which overrides, for that connection, the global TLS_TRUSTCERTS.
Your global TLS_TRUSTCERTS can still point to your distribution's default list of globally trusted certificate authorities, to validate certificates signed by global authorities on the public Internet, and remains in effect for normal SMTP connections.
/SECURITY=STARTTLS creates a different set of trusted authorities that you install and configure for your own private SMTP VPN. You use it to set up a secure SMTP link to another host on the Internet, using your own certificate authority, so even if someone compromises the connection on the network level, as long as your certificate authority isn't compromised, they won't be able to present a certificate that will be accepted by Courier for the SMTP connection to the destination host.
Note that in the default configuration Courier does not validate regular TLS certificates, since self-signed SMTP certificates are common on the public Internet. You do not need /SECURITY=STARTTLS for your garden variety TLS- enabled server. /SECURITY=STARTTLS goes beyond that, and requires that the certificate be signed by your own certificate authority.
pgpB7yC6IV33i.pgp
Description: PGP signature
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
