: Craig Skinner
To: Martin de Wendt
Subject: Re: TLS verify
User-Agent: Mutt/1.5.23 (2014-03-12)
On 2015-11-27 Fri 13:32 PM |, Martin de Wendt wrote:
> incoming emails from any tls required
This isn't realistic.
Do you *ONLY* visit https websites?
Do you *ONLY* visit IPv6 websites?
T
enable tracing of those verify problems (to see the exact problem
of verify = NO)?
Is it possible with some magic configuration to differ verify for some
servers and pin the IP of those?
example:
incoming from google tls verify and only from IP X
incoming from ebay tls with certificate X only (as
There's been some discussion on the list recently about using the 'relay
tls verify' to mitigate STARTTLS downgrade attacks. [1]
Gilles suggested using something like this in smtpd.conf as a protective
measure:
table validcrt file:/etc/mail/hosts-with-valid-certs
accept fo
On Thu, 15 Jan 2015 01:26:50 -0800, John Cox
wrote:
If you only care about local interoperation why are you using an
externally provided root cert, why not generate your own?
Fallback. If my primary hosted mail exchanger goes down, I have the local
one ready to accept SMTP connections from
Hi
>This week I upgraded one of my OpenSMTPD email servers to OpenBSD
>5.6/OpenSMTPD 5.4.3 and all of a sudden I started having all kinds of TLS
>cert verification interoperability problems with my existing FreeBSD
>OpenSMTPD 5.4.2 server.
>
>I was pulling my hair out trying to find out what
To be fair with that none of that matters if you create your CSR
correctly since they never have the private key to the cert. More over
20 to 1 All current TLS Cert providers give as much access as they can
to the NSA. It really comes down to what can you or are you willing to
pay into the imperfec
On Wed, 14 Jan 2015 09:35:05 -0800, Jason Barbier
wrote:
If you are looking to get free TLS certs startcom is still in there as I
recall, and unless you plan on doing something out of the ordinary or
that requires the CA to do work (like you want a star cert, a cert with
multiple SANs etc or
If you are looking to get free TLS certs startcom is still in there as I
recall, and unless you plan on doing something out of the ordinary or
that requires the CA to do work (like you want a star cert, a cert with
multiple SANs etc or want to revoke a cert without one of the reasons
listed in thei
This week I upgraded one of my OpenSMTPD email servers to OpenBSD
5.6/OpenSMTPD 5.4.3 and all of a sudden I started having all kinds of TLS
cert verification interoperability problems with my existing FreeBSD
OpenSMTPD 5.4.2 server.
I was pulling my hair out trying to find out what heck was
