Prev: block specific IP addresses
Next: hold queue management
From: zhong ming wu on 15 Apr 2010 19:16
Dear List

I don't find anywhere in TLS documentation how to make postfix respect a crl
so that client's whose certs have been revoked cannot use the submission server.

Can someone please confirm that this feature is supported or not?

Thanks

From: Wietse Venema on 15 Apr 2010 20:22
zhong ming wu:
> Dear List
>
> I don't find anywhere in TLS documentation how to make postfix respect a crl
> so that client's whose certs have been revoked cannot use the submission server.
>
> Can someone please confirm that this feature is supported or not?

If it is not in the documentation, then it is not implemented.

Wietse

From: Victor Duchovni on 15 Apr 2010 23:52
On Thu, Apr 15, 2010 at 07:16:58PM -0400, zhong ming wu wrote:

> I don't find anywhere in TLS documentation how to make postfix respect a crl
> so that client's whose certs have been revoked cannot use the submission server.

The supported model for submission servers that use client certs is to
list all supported fingerprints in a table. With fingerprint security,
you don't need CRLs. Alternatively, you can extract all the revoked
certs from the CRL, and use check_ccert_access to deny access, while
allowing everyone else signed by the CA.

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

From: zhong ming wu on 16 Apr 2010 19:24
On Thu, Apr 15, 2010 at 11:52 PM, Victor Duchovni
<Victor.Duchovni(a)morganstanley.com> wrote:
> On Thu, Apr 15, 2010 at 07:16:58PM -0400, zhong ming wu wrote:
>
>> I don't find anywhere in TLS documentation how to make postfix respect a crl
>> so that client's whose certs have been revoked cannot use the submission server.
>
> The supported model for submission servers that use client certs is to
> list all supported fingerprints in a table. With fingerprint security,
> you don't need CRLs. Alternatively, you can extract all the revoked
> certs from the CRL, and use check_ccert_access to deny access, while
> allowing everyone else signed by the CA.
>

Thanks. I am already doing this. I just thought there might be a more
standard way
with crl because I am using the same CA file for both dovecot and postfix and
dovecot supports crl.

 | 
Pages: 1
Prev: block specific IP addresses
Next: hold queue management