sendmail+saslauthd && verify=FAIL
Matthew Seaman
m.seaman at infracaninophile.co.uk
Fri Nov 18 09:34:54 UTC 2011
On 18/11/2011 10:00, Edward Martinez wrote:
> On 11/18/11 00:12, Matthias Apitz wrote:
>> STARTTLS=client, relay=smtp.1blu.de., version=TLSv1/SSLv3, verify=FAIL
>>
>> se below; what does the FAIL means exactly?
>>
> I have been reading on the subject and it appears you do not trust
> the certificate
> issuer for smtp.lblu.de.
Which is pretty much normal for SSL certs used for mail transfer. Most
mail servers use a self-signed certificate, because the important point
is not to verify the identity of the other party but to protect the
messages in transit against snooping. All that requires is a secure
means of agreeing a symmetric session key between both parties, and the
TLS handshake is the best available way of doing that.
Verifying SSL keys between MTAs is mostly useful only within one
organisation where the keys can be issued from one central authority, or
between a group of tightly integrated organisations.
With the advent of DNSSEC and things like the DANE project
(https://tools.ietf.org/html/draft-ietf-dane-protocol-12) that might
change, but DNSSEC adoption is too patchy yet for it to be effective.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew at infracaninophile.co.uk Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20111118/64735b2a/signature.pgp
More information about the freebsd-questions
mailing list