Yes. And we are using DNS SANs, but in some scenarios we need to verify against the IP address.
We can do this, if the IP address is present in the CN but not SANs. Is there a reason for the difference in behaviour? Thanks, Osama -----Original Message----- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Viktor Dukhovni Sent: 15 June 2017 01:33 To: postfix-users@postfix.org Subject: Re: Outbound TLS Certificate Verification On Wed, Jun 14, 2017 at 09:12:20PM +0000, Osama Al-Hassani wrote: > When verifying server certificates on outbound connections, it seems > we are unable verify the IP addresses part of the SANs field. We are > able to verify IPs in CNs. Email is sent to addresses of the form <local-part@domain-part>, where the "domain-part" is DNS domain, not an IP address. The SMTP server is either an MX host, or the domain itself, in the absence of MX records. Bare IP addresses are not valid in MX records. Most mail systems will not accept email to addresses of the form <local-part@[NNN.NNN.NNN.NNN]> (ip-addres domain-literals). > What is the reasoning behind this behaviour? No useful security results from verifying IP addresses in certificates for TLS connections to DNS hosts. Certificates with IP addresses are for IPsec, not for TLS with SMTP. Postfix supports DNS subject alternative names: https://www.postfix.org/TLS_README.html#client_tls_secure https://www.postfix.org/TLS_README.html#client_tls_dane -- Viktor. ---------------------------------------------------------------------------------------------- Message Processed by the Clearswift V4 Engineering Dogfood Secure Email Gateway This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated. If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful. If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible. Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift. This email message has been inspected by Clearswift for inappropriate content and security threats. To find out more about Clearswift’s solutions please visit www.clearswift.com
