|
Victor, Thanks a lot for your reply. Let me answer your questions. On Tue, Oct 20, 2009 at 10:25:20PM +0200, Roland Dirlewanger wrote: Victor Duchovni wrote :I would like to set up TLS on our mail server the following way : In my opinion, as soon as a non anonymous TLS connection is set up between a client and a server, it is legitimate for both sides to verify whom they are talking to. This leaves interesting lines in the log files such as "Trusted TLS connection established from ..." or "Trusted: subject_CN=..., issuer=..., fingerprint=...".Why do you expect clients on port 25 to have client certificates? The clients are mostly Mozilla Thunderbird. On port 587, the variable smtpd_recipient_restrictions is set to "permit_tls_all_clientcerts,reject" in order to allow the relaying only for clients using a certificate which can be trusted. Actually, in order to focus on the problem, I tried to use a minimal set of definitions in main.cf and master.cf. I chose to remove almost everything concerning TLS from main.cf and put it in one place, master.cf.What's in "main.cf"? Do you have an smtpd_tls_CApath defined? You really should post the output of "postconf -n" as requested in the list welcome message or <http://www.postfix.org/DEBUG_README.html#mail>. Thus, there's no smtpd_tls_CApath nor smtpd_tls_CAfile defined in main.cf. The command "postconf -n | grep _tls_" gives the following output : smtp_tls_CApath = smtp_tls_loglevel = 1 smtp_tls_security_level = may smtpd_tls_CApath = smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes This is the content of master.cf. smtp inet n - n - - smtpd -o smtpd_tls_cert_file=/etc/postfix/tls/certs/server-cert-chain.pem -o smtpd_tls_key_file=/etc/postfix/tls/private/server.key -o smtpd_tls_CAfile=/etc/postfix/tls/certs/ca-bundle.crt -o smtpd_tls_security_level=may -o smtpd_tls_ask_ccert=yes submission inet n - n - - smtpd -o smtpd_tls_cert_file=/etc/postfix/tls/certs/server-cert-chain.pem -o smtpd_tls_key_file=/etc/postfix/tls/private/server.key -o smtpd_tls_CAfile=/etc/postfix/tls/certs/ca-cnrs-bundle.crt -o smtpd_tls_security_level=encrypt -o smtpd_tls_ask_ccert=yes -o smtpd_recipient_restrictions=permit_tls_all_clientcerts,reject What would be the correct combination of CAfile + CApath ? Thanks a lot in advance. Roland. |
- Using different CA for smtpd on port 25 on and port 58... Roland Dirlewanger
- Re: Using different CA for smtpd on port 25 on an... Victor Duchovni
- Re: Using different CA for smtpd on port 25 on... Roland Dirlewanger
- Re: Using different CA for smtpd on port 2... Victor Duchovni
- Re: Using different CA for smtpd on po... Roland Dirlewanger
