|Main Archive Page > Month Archives > postfix-users archives|
Zitat von Bernhard Schmidt <email@example.com>:
> Am 20.12.2011 10:24, schrieb firstname.lastname@example.org:
>>> Any idea how to allow all certificates issued by specific Sub-CAs,
>>> without trusting everyone?
>> As far as i understand you have to list the complete chain but only your
>> sub-CA to get it working. So create a smtpd_tls_CAfile with the Telekom
>> root and your sub-CA and nothing else. This would allow relaying for any
>> certificate your sub-CA or the Telekom root CA has issued, but not for
>> certificates issued by any sub-CA of the Telekom beside yours. Be aware
>> that you should not do this on a public facing port 25.
> Unfortunately no-go, the full chain needs to be in smtpd_tls_CApath,
> otherwise I get the "unable to get issuer certificate". And doing that
> would blow the purpose, since we would be an open relay for everyone
> having a DTAG certificate.
To my knowledge you would *only* be an open relay for certificates
issued directly by the Telekom root-CA and for certificates issued by
your sub-CA, not for certificates issued by other Telekom sub-CAs not
included in the file. Not sure if the Telekom root-CA is used to issue
Viktor will correct me if i'm wrong ;-)