Date: Fri, 18 Nov 2011 09:34:41 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: sendmail+saslauthd && verify=FAIL Message-ID: <4EC626B1.70506@infracaninophile.co.uk> In-Reply-To: <4EC62CD8.7090305@gmail.com> References: <20111118081229.GA1068@tiny> <4EC62CD8.7090305@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig9CECCC504245D643350CF544 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 18/11/2011 10:00, Edward Martinez wrote: > On 11/18/11 00:12, Matthias Apitz wrote: >> STARTTLS=3Dclient, relay=3Dsmtp.1blu.de., version=3DTLSv1/SSLv3, verif= y=3DFAIL >> >> se below; what does the FAIL means exactly? >> > I have been reading on the subject and it appears you do not trust > the certificate > issuer for smtp.lblu.de. Which is pretty much normal for SSL certs used for mail transfer. Most mail servers use a self-signed certificate, because the important point is not to verify the identity of the other party but to protect the messages in transit against snooping. All that requires is a secure means of agreeing a symmetric session key between both parties, and the TLS handshake is the best available way of doing that. Verifying SSL keys between MTAs is mostly useful only within one organisation where the keys can be issued from one central authority, or between a group of tightly integrated organisations. With the advent of DNSSEC and things like the DANE project (https://tools.ietf.org/html/draft-ietf-dane-protocol-12) that might change, but DNSSEC adoption is too patchy yet for it to be effective. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig9CECCC504245D643350CF544 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7GJrkACgkQ8Mjk52CukIx1BwCeP08rQ7SpMsljli0k0FtmvUig S3sAn2dEmtHD50KErRXow5U61Rjv2hlU =116Q -----END PGP SIGNATURE----- --------------enig9CECCC504245D643350CF544--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4EC626B1.70506>