On 20/01/14 17:35, Viktor Dukhovni wrote: > In Postfix we recommend the following: > > - Don't request client certificates on the default SMTP port. >
Why? Requesting client certs is not a bad idea... my troubles aside. > - Configure a short SMTP server CAfile (possibly empty), at least with > OpenSSL, only the CAfile authority subject DNs are added to the client > certificate request. > > # Typically empty! > smtpd_tls_CAfile = > > - If the SMTP server needs to validate client certificates against a > set of trusted authorities use a CApath directory for that. These > are not included in the client certificate request. > > smtpd_tls_CApath = /some/certs/directory > > Don't know how this translates to Exim, but there are likely similar > configuration settings. Postfix by default ignores the default CA > cert locations compiled into OpenSSL. Only CAs explicitly designated > by the user are used. For OpenSSL it's the same. But using a path instead of the usually provided ca-bundle.crt is a little bit complicated. For GnuTLS gnutls_certificate_send_x509_rdn_sequence(ctx, 1) has to be used to disable sending the DN list. Don't know if a option should be added to do it for both the same way. Not calling SSL_CTX_set_client_CA_list() works for OpenSSL. Greetings, Wolfgang -- Wolfgang Breyha <[email protected]> | http://www.blafasel.at/ Vienna University Computer Center | Austria -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
