From: Jordi Espasa Clofent on
Hi all,

I've configured a TLS/SSL smtpd in a box as follows:

# postconf -n | grep -i tls
smtpd_tls_cert_file = /usr/local/home/example.com.crt
smtpd_tls_key_file = /usr/local/home/example.com.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/usr/local/etc/postfix/smtpd_cache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom

The cert is a wildcard certificate for *.example.com.

When the MUA (tested in Microsoft Outlook and Mazilla Thunderbird) tries
to send email using this box, it show a warning about the cert. It
happens when it try connection using STARTTLS (port 25) and also TLS/SSL
(port 465).

�Why?

The box is named mai.example.com, so I understand a wildcard certificate
(*.example.com) should be enough.

--
I must not fear. Fear is the mind-killer. Fear is the little-death that
brings total obliteration. I will face my fear. I will permit it to pass
over me and through me. And when it has gone past I will turn the inner
eye to see its path. Where the fear has gone there will be nothing. Only
I will remain.

Bene Gesserit Litany Against Fear.

From: Wietse Venema on
Jordi Espasa Clofent:
> Hi all,
>
> I've configured a TLS/SSL smtpd in a box as follows:
>
> # postconf -n | grep -i tls
> smtpd_tls_cert_file = /usr/local/home/example.com.crt
> smtpd_tls_key_file = /usr/local/home/example.com.key
> smtpd_tls_loglevel = 2
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_database = btree:/usr/local/etc/postfix/smtpd_cache
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> tls_random_source = dev:/dev/urandom
>
> The cert is a wildcard certificate for *.example.com.
>
> When the MUA (tested in Microsoft Outlook and Mazilla Thunderbird) tries
> to send email using this box, it show a warning about the cert. It
> happens when it try connection using STARTTLS (port 25) and also TLS/SSL
> (port 465).
>
> ?Why?
>
> The box is named mai.example.com, so I understand a wildcard certificate
> (*.example.com) should be enough.

The "*" matches ONE level only.

Wietse

From: Reinaldo de Carvalho on
On Tue, Apr 20, 2010 at 12:58 PM, Jordi Espasa Clofent
<jespasac(a)minibofh.org> wrote:
> Hi all,
[...
>
> The cert is a wildcard certificate for *.example.com.
>
> When the MUA (tested in Microsoft Outlook and Mazilla Thunderbird) tries to
> send email using this box, it show a warning about the cert. It happens when
> it try connection using STARTTLS (port 25) and also TLS/SSL (port 465).
>
> ¿Why?
>
> The box is named mai.example.com, so I understand a wildcard certificate
> (*.example.com) should be enough.
>

This is a client verification.

--
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

"Don't try to adapt the software to the way you work, but rather
yourself to the way the software works" (myself)

From: Victor Duchovni on
On Tue, Apr 20, 2010 at 05:58:23PM +0200, Jordi Espasa Clofent wrote:

> The cert is a wildcard certificate for *.example.com.

What SMTP server name is the MUA configured to use?
Does the MUA support wild-card certificates?
Which CA signed this certificate?
Does the MUA trust this CA?

> When the MUA (tested in Microsoft Outlook and Mazilla Thunderbird) tries to
> send email using this box, it show a warning about the cert. It happens
> when it try connection using STARTTLS (port 25) and also TLS/SSL (port
> 465).

What is the warning?

> The box is named mai.example.com, so I understand a wildcard certificate
> (*.example.com) should be enough.

Only if the MUA is configured to use an SMTP server in the "example.com"
domain, and it trusts the issuing CA, and the certificate has not expired
and has suitable key usage bits, and if the MUA supports wild-card certs.

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.