Wednesday, July 24, 2019

Re: smtpd accept client certificate only from a specific CA

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Pmcrypto Golang 0.0.1 (ddacebe0)
Comment: https://protonmail.com

xjMEXLy3oxYJKwYBBAHaRw8BAQdA1u+3PBDg+JyMo01717GQuPnJCv7coei7Wa/m
Z7ehSj/NJSJsZXZhQGVjZW50cnVtLmh1IiA8bGV2YUBlY2VudHJ1bS5odT7CdwQQ
FgoAHwUCXLy3owYLCQcIAwIEFQgKAgMWAgECGQECGwMCHgEACgkQDEGOClIQCPwA
QwEA6t0v62AryOh8TC7zQ1UsKX11XnTCe/VdltU2oPo8GpkBAMMJ9i4sNsD+n2mF
EARyCjeDCgT8aDgYpVdOZMbmwWkEzjgEXLy3oxIKKwYBBAGXVQEFAQEHQEAbn78U
a1uhxrBz+4GqkHFZ7S+DSqU6YLDGruK/PLUDAwEIB8JhBBgWCAAJBQJcvLejAhsM
AAoJEAxBjgpSEAj8moABALrjTKLxEnoTBfxbHiYXWaZxlubOPO2zpz/f9ZBRqGz4
AP4/a0fJisj8dDrGf/7JnVonh+KF7L98v0SH1CTPXK6gDA==
=r0Cq
-----END PGP PUBLIC KEY BLOCK-----Sorry, running 6.5-stable.

-------- Eredeti üzenet --------
Be 2019. júl. 24. 19:13, Lévai, Dániel írta:

> Hi all!
>
> I have this on my relay host:
>
> smtpd.conf:
> ca myCA cert "/path/to/myCA.pem"
>
> listen on egress port submission \
> tls-require verify \
> ca myCA
>
> Now with that I expected that it'll only accept smtp clients that provide a certificate signed by myCA, but it turns out it accepts any certificate that is trusted based on the default /etc/ssl/certs.pem file.
> Besides (re)moving the stock certs file or any other intrusive/ugly workaround, is there any way I could force a CA for those connections?
>
> Thanks for any hints,
> Dani

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)