Alessandro Vesely writes:
On 04/Nov/11 01:48, Sam Varshavchik wrote: > Alessandro Vesely writes: > >> An intermediate approach could be to have a "starttls-something" >> database anyway, where each host's entry contains the state of >> the last handshake, any of "known CA", "auto-trusted" with >> fingerprint and dates, or "broken", with suitable rules for state >> changes > > Well, Courier does have something similar, an optional way to force > all mail to a known domain to use TLS, and use a certificate with a > verified signature.I assume you mean the SECURITY extension. I didn't try it, but it seems to be a per-message option that can be routinely enabled for selected domains. Thus, the server works for both the walled garden and the Internet at large. And it bounces messages that are destined within the walled garden if the target host's certificate isn't trusted. Does that keep track of hosts' certificates?
It doesn't. You only need to install your own CA root. Mail servers to selected domains must provide a certificate that's signed by the CA root.
It doesn't seem to automatically move hosts in/out of the walled garden, does it?
No, you need to manually keep track of which domains are walled up.This is mainly to let you move your own mail across the Internet in a fairly secure manner. As long as your host is not compromised, the destination domain must not only support STARTTLS, but must also have a certificate signed by your CA root.
You can add and subtract domains by name, to the list of domains. You don't need to distribute each domain's cert around, just install the CA root, once.
pgpaMBQYAr24S.pgp
Description: PGP signature
------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
