Wildcard certificate warning
in [Postfix]
|
Prev: Relay between 2 Postfix : SASL authentication failure
Next: Relay between 2 Postfix : SASL authentication failure
From: Jordi Espasa Clofent on 20 Apr 2010 11:58 Hi all, I've configured a TLS/SSL smtpd in a box as follows: # postconf -n | grep -i tls smtpd_tls_cert_file = /usr/local/home/example.com.crt smtpd_tls_key_file = /usr/local/home/example.com.key smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/usr/local/etc/postfix/smtpd_cache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom The cert is a wildcard certificate for *.example.com. When the MUA (tested in Microsoft Outlook and Mazilla Thunderbird) tries to send email using this box, it show a warning about the cert. It happens when it try connection using STARTTLS (port 25) and also TLS/SSL (port 465). �Why? The box is named mai.example.com, so I understand a wildcard certificate (*.example.com) should be enough. -- I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain. Bene Gesserit Litany Against Fear.
From: Wietse Venema on 20 Apr 2010 12:13 Jordi Espasa Clofent: > Hi all, > > I've configured a TLS/SSL smtpd in a box as follows: > > # postconf -n | grep -i tls > smtpd_tls_cert_file = /usr/local/home/example.com.crt > smtpd_tls_key_file = /usr/local/home/example.com.key > smtpd_tls_loglevel = 2 > smtpd_tls_received_header = yes > smtpd_tls_session_cache_database = btree:/usr/local/etc/postfix/smtpd_cache > smtpd_tls_session_cache_timeout = 3600s > smtpd_use_tls = yes > tls_random_source = dev:/dev/urandom > > The cert is a wildcard certificate for *.example.com. > > When the MUA (tested in Microsoft Outlook and Mazilla Thunderbird) tries > to send email using this box, it show a warning about the cert. It > happens when it try connection using STARTTLS (port 25) and also TLS/SSL > (port 465). > > ?Why? > > The box is named mai.example.com, so I understand a wildcard certificate > (*.example.com) should be enough. The "*" matches ONE level only. Wietse
From: Reinaldo de Carvalho on 20 Apr 2010 12:22 On Tue, Apr 20, 2010 at 12:58 PM, Jordi Espasa Clofent <jespasac(a)minibofh.org> wrote: > Hi all, [... > > The cert is a wildcard certificate for *.example.com. > > When the MUA (tested in Microsoft Outlook and Mazilla Thunderbird) tries to > send email using this box, it show a warning about the cert. It happens when > it try connection using STARTTLS (port 25) and also TLS/SSL (port 465). > > ¿Why? > > The box is named mai.example.com, so I understand a wildcard certificate > (*.example.com) should be enough. > This is a client verification. -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net "Don't try to adapt the software to the way you work, but rather yourself to the way the software works" (myself)
From: Victor Duchovni on 20 Apr 2010 12:26
On Tue, Apr 20, 2010 at 05:58:23PM +0200, Jordi Espasa Clofent wrote: > The cert is a wildcard certificate for *.example.com. What SMTP server name is the MUA configured to use? Does the MUA support wild-card certificates? Which CA signed this certificate? Does the MUA trust this CA? > When the MUA (tested in Microsoft Outlook and Mazilla Thunderbird) tries to > send email using this box, it show a warning about the cert. It happens > when it try connection using STARTTLS (port 25) and also TLS/SSL (port > 465). What is the warning? > The box is named mai.example.com, so I understand a wildcard certificate > (*.example.com) should be enough. Only if the MUA is configured to use an SMTP server in the "example.com" domain, and it trusts the issuing CA, and the certificate has not expired and has suitable key usage bits, and if the MUA supports wild-card certs. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note. |