37 lines
1.4 KiB
Plaintext
37 lines
1.4 KiB
Plaintext
This list does not really follow priority.
|
|
|
|
* Implement support of CRL checking. OpenSSL 0.9.7 finally supports CRLs,
|
|
so Postfix/TLS should support loading CRLs.
|
|
|
|
* Cleanup the "pfixtls" special logging, so that it fits Wietses original
|
|
"per site" decision to make debugging easier.
|
|
|
|
* Move TLS based information from separate lines into Postfix's smtpd
|
|
logging lines to make logfile analysis easier.
|
|
|
|
* Check the "info_callback" for sensitive use. I already had to remove the
|
|
"warning alert" issued on normal shutdown. Why is a warning issued for
|
|
a normal shutdown??
|
|
|
|
* Allow to specify the protocol used globally: SSLv2, SSLv3, TLSv1.
|
|
|
|
* Enhance tls_per_site feature, such that not only MAY, MUST, NONE flags
|
|
are supported. It should also be possible to influence the behaviour:
|
|
choose the SSLv2/SSLv3/TLSv1 protocols.
|
|
[A compatible way to upgrad the tls_per_site table would be to add the
|
|
keywords:
|
|
MUST,SSLv2
|
|
MAY,NO_TLSv1
|
|
]
|
|
|
|
* Introduce new tls_per_client table to achieve the same selective behaviour
|
|
for incoming connections.
|
|
|
|
* Introduce better support for "opportunistic" encryption: collect information
|
|
about peers connecting; log warnings when the key changed etc.
|
|
[I am not sure that I already have the best answers available.]
|
|
|
|
* Find a way to use the certificates themselves instead of the fingerprints
|
|
to allow certificate based relaying. The maintenance of the fingerprints
|
|
is a nightmare.
|