Open szepeviktor opened 7 years ago
Note that on Debian starting with courier-0.76.3-2, we are compiling against gnutls.
@mwanner https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605594
It seems like it is not possible to get perfect forward secrecy unless you can set the DH key exchange parameter, which is only offered if courier was compiled against gnutls.
DH parameters can be set in /etc/courier/dhparams.pem
@mwanner Is it reported to Sam? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844975
The root cause of this bug seems to be:
... checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes checking for SSL_load_error_strings in -lssl... no checking for OPENSSL_cleanup in -lssl... no ...
The OpenSSL library does not validate peer hostnames, leaving it up to the
application to do that. Courier's manual hostname validation code checks CN only.
Hostname validation for SMTP is a mess. Many servers use self-signed certs,
not signed by a trusted CAs, as such most servers typically do not verify
peer hostnames.
You can also recompile Courier to use GnuTLS, which handles hostname
verification itself, and will presumably check SAN.