> Which Postfix SMTP client implementation matches server certificates against
> server IP addresses?
We are using 3.2.0 vanilla.
To clarify, this is when using the "match" attribute with "verify" security
level. I could rephrase the question as to why anything but DNS names are
ignored in the SANs field?
Thanks,
Osama
-----Original Message-----
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
On Behalf Of Wietse Venema
Sent: 15 June 2017 21:47
To: Postfix users <postfix-users@postfix.org>
Subject: Re: Outbound TLS Certificate Verification
Osama Al-Hassani:
> Yes. And we are using DNS SANs, but in some scenarios we need to verify
> against the IP address.
>
>
> We can do this, if the IP address is present in the CN but not SANs. Is
> there a reason for the difference in behaviour?
>
> Thanks,
> Osama
>
> -----Original Message-----
> From: owner-postfix-us...@postfix.org
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Viktor Dukhovni
> Sent: 15 June 2017 01:33
> To: postfix-users@postfix.org
> Subject: Re: Outbound TLS Certificate Verification
>
> On Wed, Jun 14, 2017 at 09:12:20PM +0000, Osama Al-Hassani wrote:
>
> > When verifying server certificates on outbound connections, it seems
> > we are unable verify the IP addresses part of the SANs field. We are
> > able to verify IPs in CNs.
>
> Email is sent to addresses of the form <local-part@domain-part>, where the
> "domain-part" is DNS domain, not an IP address. The SMTP server is either an
> MX host, or the domain itself, in the absence
> of MX records. Bare IP addresses are not valid in MX records.
> Most mail systems will not accept email to addresses of the form
> <local-part@[NNN.NNN.NNN.NNN]> (ip-addres domain-literals).
>
> > What is the reasoning behind this behaviour?
>
> No useful security results from verifying IP addresses in certificates for
> TLS connections to DNS hosts. Certificates with IP addresses are for IPsec,
> not for TLS with SMTP.
>
> Postfix supports DNS subject alternative names:
>
> https://www.postfix.org/TLS_README.html#client_tls_secure
> https://www.postfix.org/TLS_README.html#client_tls_dane
Which Postfix SMTP client implementation matches server certificates against
server IP addresses?
Wietse
----------------------------------------------------------------------------------------------
Message Processed by the Clearswift V4 Engineering Dogfood Secure Email Gateway
This e-mail and any files transmitted with it are strictly confidential, may be
privileged and are intended only for use by the addressee unless otherwise
indicated. If you are not the intended recipient any use, dissemination,
printing or copying is strictly prohibited and may be unlawful. If you have
received this e-mail in error, please delete it immediately and contact the
sender as soon as possible. Clearswift cannot be held liable for delays in
receipt of an email or any errors in its content. Clearswift accepts no
responsibility once an e-mail and any attachments leave us. Unless expressly
stated, opinions in this message are those of the individual sender and not of
Clearswift.
This email message has been inspected by Clearswift for inappropriate content
and security threats.
To find out more about Clearswift’s solutions please visit www.clearswift.com
