OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Config ok for TLS/SASL/Client Cert via port 587?

From: Victor Duchovni (Victor.Duchovnimorganstanley.com)
Date: Wed Mar 12 2008 - 13:29:27 CDT


On Wed, Mar 12, 2008 at 06:32:41PM +0100, Patrick wrote:

> If it takes only some effort to setup 2 layers of security then why not?

Only useful if the layers are independent. If they fail together, there is
not much value.

If your client host is 0wned, the attacker gets both your client cert and
your password. The client cert key is stronger, so go with that and skip
SASL.

If somehow the attacker gets the physical machine, but not your password,
you can remove the compromised fingerprint from the access table, you
are probably more worried about the stolen data than relay rights...

> In the mean time I have tried to get this working with Evolution and the
> config below but I only get the error below. Maybe Evolution does not
> support certificate authentication.
>
> Mar 12 18:19:37 server postfix/smtpd[13294]: warning: TLS library
> problem: 13294:error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a
> certificate:s3_srvr.c:2458:
>

I am afraid that is not a Postfix question.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.