I have a question about how postfix handles certificates for TLS client authentication which lack the TLS client auth Extended Key Usage extension.
Due to recent changes in the way certificates are issued by CAs, TLS server certificates issued by CAs no longer have the TLS client auth Extended Key Usage extension. https://letsencrypt.org/2025/05/14/ending-tls-client-authentication Now in general, this should not be a problem, for most SMTP setups because authentication with client certificates is not widely used. However, when setting up an O365 connector for sending email from "Your org" to "O365", it is recommended to use a client side certificate for authenticating the connection. Now I'm investigating whether this could be problematic when authenticating from Postfix to O365. To test with a trusted certificate, without the TLS client auth Extended Key Usage extension, I requested a certificate from Let's Encrypt using the tlsserver profile. This will then return a certificate without the TLS client auth Extended Key Usage extension. My tests seem to indicate that postfix will still be able to authenticate with the certificate when connecting to O365. However, if I look at the Postfix documentation, it seems that postfix will only use the TLS client auth Extended Key Usage extension if the certificate contains it: [from section: smtp_tls_cert_file (default: empty)] [quote] A certificate supplied here must be usable as an SSL client certificate and hence pass the "openssl verify -purpose sslclient ..." test. [/quote] So my question is, will Postfix still be able to authenticate with the certificate if it does not contain the TLS client auth Extended Key Usage extension? Kind regards, Martijn Brinkers -- CipherMail email encryption Email encryption with support for S/MIME, OpenPGP, PDF Messenger and Webmail Messenger
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
