Re: [exim] Ignoring SSL-Errors on self signed certificates

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Viktor Dukhovni
Datum:  
To: exim-users
Betreff: Re: [exim] Ignoring SSL-Errors on self signed certificates
On Thu, Apr 14, 2016 at 12:46:06PM -0400, Chris Siebenmann wrote:

> It would be convenient if you could directly put copies of self-signed
> certificates in some location in order to have them pass validation, but
> as far as I know this is not supported by anything.


For a self-signed (subject == issuer == signer) certificate, it is
not that uncommon to verify its fingerprint:

    http://www.postfix.org/TLS_README.html#client_tls_fprint


private trust-anchor (homebrew CA) support is also not unheard of:

    http://www.postfix.org/TLS_README.html#client_tls_secure


    With Postfix >= 2.11 the "smtp_tls_trust_anchor_file" parameter
    or more typically the corresponding per-destination "tafile"
    attribute optionally modifies trust chain verification. If the
    parameter is not empty the root CAs in CAfile and CApath are
    no longer trusted. Rather, the Postfix SMTP client will only
    trust certificate-chains signed by one of the trust-anchors
    contained in the chosen files. The specified trust-anchor
    certificates and public keys are not subject to expiration,
    and need not be (self-signed) root CAs. They may, if desired,
    be intermediate certificates. Therefore, these certificates
    also may be found "in the middle" of the trust chain presented
    by the remote SMTP server, and any untrusted issuing parent
    certificates will be ignored.


-- 
    Viktor.