e: Sat, 28 Nov 2015 08:48:09 +
From: Craig Skinner <skin...@britvault.co.uk>
To: Martin de Wendt <mar...@mdewendt.de>
Subject: Re: TLS verify
User-Agent: Mutt/1.5.23 (2014-03-12)
On 2015-11-27 Fri 13:32 PM |, Martin de Wendt wrote:
> incoming emails from any tls required
This isn
to enable tracing of those verify problems (to see the exact problem
of verify = NO)?
Is it possible with some magic configuration to differ verify for some
servers and pin the IP of those?
example:
incoming from google tls verify and only from IP X
incoming from ebay tls with certificate X only
There's been some discussion on the list recently about using the 'relay
tls verify' to mitigate STARTTLS downgrade attacks. [1]
Gilles suggested using something like this in smtpd.conf as a protective
measure:
table validcrt file:/etc/mail/hosts-with-valid-certs
accept for domain validcrt