TLS-only forwarding
Moderator: Moderators
TLS-only forwarding
When running Rollernet as a MX, consider allowing me to designate that only TLS connections should be made to by primary mailserver, and force checking of the provided certificate. Please also allow CACert as a valid CA.
Re: TLS-only forwarding
Mandatory TLS and fingerprinting requirements are on our to do list.
Seth Mattinen, Roller Network LLC
Re: TLS-only forwarding
Any update on this? I can imagine 3 modes:
'TLS Accepted' (the default, attempts TLS w/o cert validation but falls back to cleartext)
'Flexible TLS' - requires TLS but does not check the validity of the cert
'Strict TLS' - requires TLS and that the cert is valid.
A further enhancement is requiring a specific CA or possibly key fingerprint. LetsEncrypt certs are shortish lived so requiring a specific cert may not be ideal.
'TLS Accepted' (the default, attempts TLS w/o cert validation but falls back to cleartext)
'Flexible TLS' - requires TLS but does not check the validity of the cert
'Strict TLS' - requires TLS and that the cert is valid.
A further enhancement is requiring a specific CA or possibly key fingerprint. LetsEncrypt certs are shortish lived so requiring a specific cert may not be ideal.
Re: TLS-only forwarding
Back when I originally imagined doing this the idea was for strict mode that would only proceed if the fingerprint of the server we connected to matched what was configured in the control center. But as you said, LetsEncrypt certs are short lived, so you'd have to change that setting constantly which is not ideal.
Seth Mattinen, Roller Network LLC