Re: Trusted CA config

Liste des GroupesRevenir à cm sendmail 
Sujet : Re: Trusted CA config
De : gtaylor (at) *nospam* tnetconsulting.net (Grant Taylor)
Groupes : comp.mail.sendmail
Date : 11. Jan 2025, 00:45:49
Autres entêtes
Organisation : TNet Consulting
Message-ID : <vlsbfd$fuf$1@tncsrv09.home.tnetconsulting.net>
References : 1 2 3 4 5
User-Agent : Mozilla Thunderbird
Pre-script:  For some reason I don't see the post that Claus quoted, so I'm replying to it here.
Bjørn Mork  wrote:
But how are we supposed to configure a sendmail server then?  MTA-STS
means that the trusted CA list must include every public CA.
I've been configuring Sendmail to use look in /etc/ssl/certs for trusted CAs for years without any problem.

... then "AUTH EXTERNAL" is pretty much an open relay.
I think you're concerned about validated certs being the key to allow relay.
I have the following in my access(.db) file:
    # Allow REDACTED to relay based on client TLS certificate.
    CERTISSUER:/C=US/O=Let's+20Encrypt/CN=R3   SUBJECT
    CERTSUBJECT:/CN=REDACTED_CN1               RELAY
    CERTSUBJECT:/CN=REDACTED_CN2               RELAY
As the comment says and the `SUBJECT' value implies, certificates need to be from the `CERTISSUER' *AND* have the proper `SUBJECT' listed on in it's own `CERTSUBJECT' entry.
Only my servers are allowed to relay based on valid certificate *AND* proper subject.

What am I missing?
I suspect that you want to look into `CERTISSUER' of `SUBJECT' combined with `CERTSUBJECT' entries to have fine grained control over who's allowed to relay based on certificates.
On 1/10/25 11:09, Claus Aßmann wrote:
MTA-STS has probably been "designed" by people who use http(s) for
everything - without considering the implications.
Where would you have had people publish MTA-STS information?  I would have preferred DNS, but I don't think that HTTPS is the worst thing in the world.

And just like SPF it breaks existing e-mail practices....
Please elaborate on what MTA-STS is breaking that it isn't intended to break?
Yes, SPF was intended to break sending email from an unauthorized IP, and that includes forwarding.  That's by design.
I've been using and advocating for `-all' SPF records for (nearly) two decades at this point.  I have no problem forwarding when I use SRS. Even Google has changed their tune and was recommending SRS when forwarding the last time I looked.
Yes, I have SRS working with Sendmail just fine.  I found an old `perlsrs' HACK years ago and have been using it ever sense.  I drop the perlsrs.m4 file in the `/usr/share/sendmail/cf/hack' directory and add `HACK(`perlsrs')' to my mc file.  It works well enough that I never have to think about it.  I've been forwarding to Google for years without any problem.
The only thing you need to do is to make sure that you only forward clean email.  But I try my best to reject any dirty email at the gate.
--
Grant. . . .

Date Sujet#  Auteur
13 Nov 24 * adding CA certificates (for use by sendmail)14Wolfgang Agnes
13 Nov 24 `* Re: adding CA certificates (for use by sendmail)13Grant Taylor
13 Nov 24  +* Re: adding CA certificates (for use by sendmail)11John D Groenveld
13 Nov 24  i`* Re: adding CA certificates (for use by sendmail)10Bjørn Mork
13 Nov 24  i `* Re: adding CA certificates (for use by sendmail)9Claus Aßmann
13 Nov 24  i  `* Re: adding CA certificates (for use by sendmail)8Bjørn Mork
9 Jan 25  i   `* Trusted CA config (was: Re: adding CA certificates (for use by sendmail))7Bjørn Mork
10 Jan 25  i    `* Re: Trusted CA config (was: Re: adding CA certificates (for use by sendmail))6Claus Aßmann
11 Jan 25  i     `* Re: Trusted CA config5Grant Taylor
11 Jan 25  i      +* Re: Trusted CA config2Andreas S. Kerber
11 Jan 25  i      i`- Re: Trusted CA config1Grant Taylor
12 Jan 25  i      `* Re: Trusted CA config2Bjørn Mork
22 Jan 25  i       `- Re: FFRs1Claus Aßmann
19 Nov 24  `- Re: adding CA certificates (for use by sendmail)1Wolfgang Agnes

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal