Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Looking for docs on Postfix-TLS (no SASL!)


On Sat, Sep 04, 2004, Mary Gardiner wrote:
> # Two additional options has been added for relay control to the UCE rules:
> #   permit_tls_clientcerts	(a)
[snip]
> # postfix will relay if 
> # (a) a valid (it passed the verification) client certificate is presented
> #     and its fingerprint is listed in the list of client certs
> #     (relay_clientcerts),

Excellent, this *does* work without needing SASL. The mistake I had made
was stuffing up the storing of my client's fingerprint on the
server-side, I stored the wrong fingerprint.

For people who are interested:

server settings in main.cf:

	relay_clientcerts = hash:/etc/postfix/relay_certs

	smtpd_recipient_restrictions =
		permit_tls_clientcerts, # this is the key bit that
					# tells it to relay for clients
					# with matching fingerprints
		# more restrictions here including the important:
		check_relay_domains # no open relay

	smtpd_use_tls = yes
	smtpd_tls_ask_ccert = yes

	smtpd_tls_key_file = /etc/postfix/tls/key.pem
	smtpd_tls_cert_file = /etc/postfix/tls/cert.pem
	smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
	smtp_tls_key_file = /etc/postfix/tls/key.pem
	smtp_tls_cert_file = /etc/postfix/tls/cert.pem
	smtp_tls_CAfile = /etc/postfix/tls/cacert.pem

/etc/postfix/relay_certs looks like this and is hashed by postmap:

	95:F1:DB:33:C4:90:75:D4:AE:67:30:BC:88:51:54:52 client.example.com

[where 95:etc etc is the fingerprint of the client's SSL key]

client settings:

	relayhost = example.com:587

	smtp_use_tls = yes
	smtpd_tls_ask_ccert = yes

	smtpd_tls_key_file = /etc/postfix/tls/key.pem
	smtpd_tls_cert_file = /etc/postfix/tls/cert.pem
	smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
	smtp_tls_key_file = /etc/postfix/tls/key.pem
	smtp_tls_cert_file = /etc/postfix/tls/cert.pem
	smtp_tls_CAfile = /etc/postfix/tls/cacert.pem

	smtp_tls_per_site = hash:/etc/postfix/tls_per_site

/etc/postfix/tls_per_site looks like this and is hashed by postmap:

	example.com    MUST

All keys are signed by the Certificate Authority whose key is
/etc/postfix/tls/cacert.pem (the same certificate on both client and
server) -- I followed directions at
http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/doc/myownca.html
to be my own CA.

-Mary