PHWinfo - Afficher un message - different server certificate for each daemon

25/04/2007, 23h40

In article <1177445578.903860.171080@n35g2000prd.googlegroups .com> DT
<pwadas@jewish.org.pl> writes:
>
>I have in my sendmail.mc
>
>DAEMON_OPTIONS(`Addr=aa.bb.cc.123, Port=465, Name=MTA-123-TLS, M=a,p')
>DAEMON_OPTIONS(`Addr=aa.bb.cc.124, Port=465, Name=MTA-123-TLS, M=a,p')

Hm, not that it has anything to do with your question, but it's a bit
"odd" to use the SMTPS port when you do STARTTLS - a major reason for
STARTTLS (and the equivalent in other protocols) as opposed to "SSL
wrapping" such as SMTPS is that it doesn't require a special port...
Btw, the modifiers given after M= should not be comma-separated but
simply concatenated - the comma is currently ignored along with any
other unassigned characters, but when the sendmail developers have run
out of letters the comma may be given a meaning...:-)

>Is it possible to have server to present/verify different
>certificate for each daemon ?

No, but it would be a meaningful addition I think - a patch to implement
it may be accepted at sendmail.org.

>I could create different sendmail instances with different .cf files,
>or simply make the same DNS name to be resolved in two
>addresses randomly, but none of these does not satisfy me.

Your best option could possibly be to have a single sendmail.cf but with
the DaemonPortOptions and ServerCertFile/ServerKeyFile options given (or
overridden) on the daemon startup commandline.

See also the threads at

http://groups.google.com/group/comp....1ac62c88927ffa

and

http://groups.google.com/group/comp....d55461cc47471e

--Per Hedeland
per@hedeland.org

25/04/2007, 23h40	#2
Per Hedeland Messages: n/a Hébergeur:	Re: different server certificate for each daemon In article <1177445578.903860.171080@n35g2000prd.googlegroups .com> DT <pwadas@jewish.org.pl> writes: > >I have in my sendmail.mc > >DAEMON_OPTIONS(`Addr=aa.bb.cc.123, Port=465, Name=MTA-123-TLS, M=a,p') >DAEMON_OPTIONS(`Addr=aa.bb.cc.124, Port=465, Name=MTA-123-TLS, M=a,p') Hm, not that it has anything to do with your question, but it's a bit "odd" to use the SMTPS port when you do STARTTLS - a major reason for STARTTLS (and the equivalent in other protocols) as opposed to "SSL wrapping" such as SMTPS is that it doesn't require a special port... Btw, the modifiers given after M= should not be comma-separated but simply concatenated - the comma is currently ignored along with any other unassigned characters, but when the sendmail developers have run out of letters the comma may be given a meaning...:-) >Is it possible to have server to present/verify different >certificate for each daemon ? No, but it would be a meaningful addition I think - a patch to implement it may be accepted at sendmail.org. >I could create different sendmail instances with different .cf files, >or simply make the same DNS name to be resolved in two >addresses randomly, but none of these does not satisfy me. Your best option could possibly be to have a single sendmail.cf but with the DaemonPortOptions and ServerCertFile/ServerKeyFile options given (or overridden) on the daemon startup commandline. See also the threads at http://groups.google.com/group/comp....1ac62c88927ffa and http://groups.google.com/group/comp....d55461cc47471e --Per Hedeland per@hedeland.org